2 * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c
3 * Copyright (C) 1996, 1997 John Ioannidis.
4 * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.187 2002/03/23 19:55:17 rgb Exp $";
19 #define __NO_VERSION__
20 #include <linux/module.h>
21 #include <linux/config.h> /* for CONFIG_IP_FORWARD */
22 #include <linux/version.h>
23 #include <linux/kernel.h> /* printk() */
25 /* XXX-mcr remove this definition when the code has been properly rototiled */
26 #define IPSEC_KLIPS1_COMPAT 1
27 #include "ipsec_param.h"
30 # include <linux/slab.h> /* kmalloc() */
31 #else /* MALLOC_SLAB */
32 # include <linux/malloc.h> /* kmalloc() */
33 #endif /* MALLOC_SLAB */
34 #include <linux/errno.h> /* error codes */
35 #include <linux/types.h> /* size_t */
36 #include <linux/interrupt.h> /* mark_bh */
38 #include <linux/netdevice.h> /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
39 #include <linux/etherdevice.h> /* eth_type_trans */
40 #include <linux/ip.h> /* struct iphdr */
41 #include <linux/tcp.h> /* struct tcphdr */
42 #include <linux/udp.h> /* struct udphdr */
43 #include <linux/skbuff.h>
46 # define MSS_HACK_ /* experimental */
47 # include <asm/uaccess.h>
48 # include <linux/in6.h>
49 # define ip_chk_addr inet_addr_type
50 # define IS_MYADDR RTN_LOCAL
53 # define dev_kfree_skb(a,b) kfree_skb(a)
54 # define proto_priv cb
57 #include <asm/checksum.h>
58 #include <net/icmp.h> /* icmp_send() */
61 # include <linux/netfilter_ipv4.h>
62 #endif /* NETDEV_23 */
64 #include <linux/ledman.h>
67 #include "ipsec_alg.h"
69 #include <linux/if_arp.h>
71 # include <net/tcp.h> /* TCP options */
75 #include "ipsec_life.h"
76 #include "ipsec_xform.h"
77 #include "ipsec_eroute.h"
78 #include "ipsec_encap.h"
79 #include "ipsec_radij.h"
80 #include "ipsec_netlink.h"
82 #include "ipsec_tunnel.h"
83 #include "ipsec_ipe4.h"
85 #include "ipsec_esp.h"
87 #ifdef CONFIG_IPSEC_IPCOMP
89 #endif /* CONFIG_IPSEC_IPCOMP */
94 #include "ipsec_proto.h"
96 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
97 #include <linux/udp.h>
100 static __u32 zeroes[64];
102 #ifdef CONFIG_IPSEC_DEBUG
103 int debug_tunnel = 0;
104 int sysctl_ipsec_debug_verbose = 0;
105 #endif /* CONFIG_IPSEC_DEBUG */
107 int sysctl_ipsec_icmp = 0;
108 int sysctl_ipsec_tos = 0;
110 #ifdef CONFIG_IPSEC_DEBUG_
112 dmp(char *s, caddr_t bb, int len)
115 unsigned char *b = bb;
118 printk(KERN_INFO "klips_debug:ipsec_tunnel_:dmp: "
122 for (i=0; i < len; i++) {
124 printk("\nklips_debug: ");
126 printk(" %02x", *b++);
131 #else /* CONFIG_IPSEC_DEBUG */
132 #define dmp(_x, _y, _z)
133 #endif /* CONFIG_IPSEC_DEBUG */
135 #ifndef SKB_COPY_EXPAND
137 * This is mostly skbuff.c:skb_copy().
140 skb_copy_expand(struct sk_buff *skb, int headroom, int tailroom, int priority)
143 unsigned long offset;
148 if((headroom < 0) || (tailroom < 0) || ((headroom+tailroom) < 0)) {
150 "klips_error:skb_copy_expand: "
151 "Illegal negative head,tailroom %d,%d\n",
157 * Allocate the copy buffer
165 n=alloc_skb(skb->end - skb->head + headroom + tailroom, priority);
167 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
168 "klips_debug:skb_copy_expand: "
169 "head=%p data=%p tail=%p end=%p end-head=%d tail-data=%d\n",
174 skb->end - skb->head,
175 skb->tail - skb->data);
181 * Shift between the two data areas in bytes
184 /* offset=n->head-skb->head; */ /* moved down a few lines */
186 /* Set the data pointer */
187 skb_reserve(n,skb->data-skb->head+headroom);
188 /* Set the tail pointer and length */
189 if(skb_tailroom(n) < skb->len) {
190 printk(KERN_WARNING "klips_error:skb_copy_expand: "
191 "tried to skb_put %ld, %d available. This should never happen, please report.\n",
192 (unsigned long int)skb->len,
194 dev_kfree_skb(n, FREE_WRITE);
199 offset=n->head + headroom - skb->head;
202 memcpy(n->head + headroom, skb->head,skb->end-skb->head);
205 n->priority=skb->priority;
206 n->dst=dst_clone(skb->dst);
208 n->nh.raw=skb->nh.raw+offset;
211 #endif /* NETDEV_23 */
212 atomic_set(&n->users, 1);
213 n->destructor = NULL;
214 n->security=skb->security;
219 n->ip_hdr=(struct iphdr *)(((char *)skb->ip_hdr)+offset);
224 n->end_seq=skb->end_seq;
225 n->ack_seq=skb->ack_seq;
233 n->protocol=skb->protocol;
238 n->h.raw=skb->h.raw+offset;
240 n->mac.raw=skb->mac.raw+offset;
241 memcpy(n->proto_priv, skb->proto_priv, sizeof(skb->proto_priv));
244 #endif /* !NETDEV_23 */
245 n->pkt_type=skb->pkt_type;
253 #endif /* !SKB_COPY_EXPAND */
255 #ifdef CONFIG_IPSEC_DEBUG
257 ipsec_print_ip(struct iphdr *ip)
259 char buf[ADDRTOA_BUF];
261 printk(KERN_INFO "klips_debug: IP:");
262 printk(" ihl:%d", ip->ihl*4);
263 printk(" ver:%d", ip->version);
264 printk(" tos:%d", ip->tos);
265 printk(" tlen:%d", ntohs(ip->tot_len));
266 printk(" id:%d", ntohs(ip->id));
267 printk(" %s%s%sfrag_off:%d",
268 ip->frag_off & __constant_htons(IP_CE) ? "CE " : "",
269 ip->frag_off & __constant_htons(IP_DF) ? "DF " : "",
270 ip->frag_off & __constant_htons(IP_MF) ? "MF " : "",
271 (ntohs(ip->frag_off) & IP_OFFSET) << 3);
272 printk(" ttl:%d", ip->ttl);
273 printk(" proto:%d", ip->protocol);
274 if(ip->protocol == IPPROTO_UDP)
276 if(ip->protocol == IPPROTO_TCP)
278 if(ip->protocol == IPPROTO_ICMP)
280 printk(" chk:%d", ntohs(ip->check));
281 addrtoa(*((struct in_addr*)(&ip->saddr)), 0, buf, sizeof(buf));
282 printk(" saddr:%s", buf);
283 if(ip->protocol == IPPROTO_UDP)
285 ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->source));
286 if(ip->protocol == IPPROTO_TCP)
288 ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->source));
289 addrtoa(*((struct in_addr*)(&ip->daddr)), 0, buf, sizeof(buf));
290 printk(" daddr:%s", buf);
291 if(ip->protocol == IPPROTO_UDP)
293 ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest));
294 if(ip->protocol == IPPROTO_TCP)
296 ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest));
297 if(ip->protocol == IPPROTO_ICMP)
298 printk(" type:code=%d:%d",
299 ((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->type,
300 ((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->code);
303 if(sysctl_ipsec_debug_verbose) {
307 c = ((__u8*)ip) + ip->ihl*4;
308 for(i = 0; i < ntohs(ip->tot_len) - ip->ihl*4; i++ /*, c++*/) {
311 "klips_debug: @%03x:",
314 printk(" %02x", /***/c[i]);
315 if(!((i + 1) % 16)) {
324 #endif /* CONFIG_IPSEC_DEBUG */
326 #ifdef REAL_LOCKING_P
333 ipsec_tunnel_lock(struct ipsecpriv *prv)
339 * Lock in an interrupt may fail
341 if(prv->locked && in_interrupt()) {
342 restore_flags(flags);
346 sleep_on(&prv->wait_queue);
348 restore_flags(flags);
355 ipsec_tunnel_unlock(struct ipsecpriv *prv)
358 wake_up(&prv->wait_queue);
361 #endif /* REAL_LOCKING_P */
364 ipsec_tunnel_open(struct device *dev)
366 struct ipsecpriv *prv = dev->priv;
369 * Can't open until attached.
372 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
373 "klips_debug:ipsec_tunnel_open: "
374 "dev = %s, prv->dev = %s\n",
375 dev->name, prv->dev?prv->dev->name:"NONE");
377 if (prv->dev == NULL)
385 ipsec_tunnel_close(struct device *dev)
394 * 1) Fragments arriving in the tunnel should probably be rejected.
395 * 2) How does this affect syncookies, mss_cache, dst cache ?
396 * 3) Path MTU discovery handling needs to be reviewed. For example,
397 * if we receive an ICMP 'packet too big' message from an intermediate
398 * router specifying it's next hop MTU, our stack may process this and
399 * adjust the MSS without taking our AH/ESP overheads into account.
404 * Recaclulate checksum using differences between changed datum,
405 * borrowed from netfilter.
407 DEBUG_NO_STATIC u_int16_t
408 ipsec_fast_csum(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
410 u_int32_t diffs[] = { oldvalinv, newval };
411 return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
416 * Determine effective MSS.
418 * Note that we assume that there is always an MSS option for our own
419 * SYN segments, which is mentioned in tcp_syn_build_options(), kernel 2.2.x.
420 * This could change, and we should probably parse TCP options instead.
423 DEBUG_NO_STATIC u_int8_t
424 ipsec_adjust_mss(struct sk_buff *skb, struct tcphdr *tcph, u_int16_t mtu)
426 u_int16_t oldmss, newmss;
428 struct sock *sk = skb->sk;
430 newmss = tcp_sync_mss(sk, mtu);
431 printk(KERN_INFO "klips: setting mss to %u\n", newmss);
432 mssp = (u_int32_t *)tcph + sizeof(struct tcphdr) / sizeof(u_int32_t);
433 oldmss = ntohl(*mssp) & 0x0000FFFF;
434 *mssp = htonl((TCPOPT_MSS << 24) | (TCPOLEN_MSS << 16) | newmss);
435 tcph->check = ipsec_fast_csum(htons(~oldmss),
436 htons(newmss), tcph->check);
439 #endif /* MSS_HACK */
442 static inline int ipsec_tunnel_xmit2(struct sk_buff *skb)
446 #endif /* NETDEV_23 */
449 * This function assumes it is being called from dev_queue_xmit()
450 * and that skb is filled properly by that function.
454 ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev)
456 struct ipsecpriv *prv; /* Our device' private space */
457 struct sk_buff *oskb = NULL; /* Original skb pointer */
458 struct net_device_stats *stats; /* This device's statistics */
459 struct iphdr *iph; /* Our new IP header */
460 __u32 newdst; /* The other SG's IP address */
461 __u32 orgdst; /* Original IP destination address */
462 __u32 orgedst; /* 1st SG's IP address */
463 __u32 newsrc; /* The new source SG's IP address */
464 __u32 orgsrc; /* Original IP source address */
465 __u32 innersrc; /* Innermost IP source address */
466 int iphlen; /* IP header length */
467 int pyldsz; /* upper protocol payload size */
470 int max_headroom = 0; /* The extra header space needed */
471 int max_tailroom = 0; /* The extra stuffing needed */
472 int ll_headroom; /* The extra link layer hard_header space needed */
473 int tot_headroom = 0; /* The total header space needed */
474 int tot_tailroom = 0; /* The totalstuffing needed */
475 __u8 *saved_header = NULL; /* saved copy of the hard header */
477 unsigned short sport,dport;
479 struct sockaddr_encap matcher; /* eroute search key */
481 struct ipsec_sa *tdbp, *tdbq; /* Tunnel Descriptor Block pointers */
484 int hard_header_stripped = 0; /* has the hard header been removed yet? */
485 int hard_header_len = 0;
486 struct device *physdev;
487 /* struct device *virtdev; */
492 struct rtable *rt = NULL;
494 struct sa_id outgoing_said;
499 uint32_t eroute_pid = 0;
501 #ifdef CONFIG_IPSEC_ALG
502 struct ipsec_alg_enc *ixt_e = NULL;
503 struct ipsec_alg_auth *ixt_a = NULL;
504 #endif /* CONFIG_IPSEC_ALG */
506 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
507 uint8_t natt_type = 0, natt_head = 0;
508 uint16_t natt_sport = 0, natt_dport = 0;
513 memset((char*)&tdb, 0, sizeof(struct ipsec_sa));
516 * Return if there is nothing to do. (Does this ever happen?) XXX
519 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
520 "klips_error:ipsec_tunnel_start_xmit: "
521 "Nothing to do!\n" );
525 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
526 "klips_error:ipsec_tunnel_start_xmit: "
527 "No device associated with skb!\n" );
533 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
534 "klips_error:ipsec_tunnel_start_xmit: "
535 "Device has no private structure!\n" );
540 if (physdev == NULL) {
541 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
542 "klips_error:ipsec_tunnel_start_xmit: "
543 "Device is not attached to physical device!\n" );
547 physmtu = physdev->mtu;
549 stats = (struct net_device_stats *) &(prv->mystats);
552 /* if skb was cloned (most likely due to a packet sniffer such as
553 tcpdump being momentarily attached to the interface), make
554 a copy of our own to modify */
555 if(skb_cloned(skb)) {
558 (skb_cow(skb, skb_headroom(skb)) != 0)
559 #else /* SKB_COW_NEW */
560 ((skb = skb_cow(skb, skb_headroom(skb))) == NULL)
561 #endif /* SKB_COW_NEW */
563 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
564 "klips_error:ipsec_tunnel_start_xmit: "
565 "skb_cow failed to allocate buffer, dropping.\n" );
578 /* sanity check for IP version as we can't handle IPv6 right now */
579 if (iph->version != 4) {
580 KLIPS_PRINT(debug_tunnel,
581 "klips_debug:ipsec_tunnel_start_xmit: "
582 "found IP Version %d but cannot process other IP versions than v4.\n",
583 iph->version); /* XXX */
588 /* physdev->hard_header_len is unreliable and should not be used */
589 hard_header_len = (unsigned char *)iph - skb->data;
591 if(hard_header_len < 0) {
592 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
593 "klips_error:ipsec_tunnel_start_xmit: "
594 "Negative hard_header_len (%d)?!\n", hard_header_len);
599 if(hard_header_len == 0) { /* no hard header present */
600 hard_header_stripped = 1;
603 #ifdef CONFIG_IPSEC_DEBUG
604 if (debug_tunnel & DB_TN_XMIT) {
608 printk(KERN_INFO "klips_debug:ipsec_tunnel_start_xmit: "
609 ">>> skb->len=%ld hard_header_len:%d",
610 (unsigned long int)skb->len, hard_header_len);
612 for (i=0; i < hard_header_len; i++) {
613 printk("%c%02x", c, skb->data[i]);
618 #endif /* CONFIG_IPSEC_DEBUG */
620 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph);
626 if ((iph->ihl << 2) != sizeof (struct iphdr)) {
627 KLIPS_PRINT(debug_tunnel,
628 "klips_debug:ipsec_tunnel_start_xmit: "
629 "cannot process IP header options yet. May be mal-formed packet.\n"); /* XXX */
635 /* TTL decrement code (on the way out!) borrowed from ip_forward.c */
637 unsigned long checksum = iph->check;
640 * Re-compute the IP header checksum.
641 * This is efficient. We know what has happened to the header
642 * and can thus adjust the checksum as Phil Karn does in KA9Q
643 * except we do this in "network byte order".
645 checksum += htons(0x0100);
646 /* carry overflow? */
647 checksum += checksum >> 16;
648 iph->check = checksum;
651 /* Tell the sender its packet died... */
652 ICMP_SEND(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0, physdev);
654 KLIPS_PRINT(debug_tunnel, "klips_debug:ipsec_tunnel_start_xmit: "
655 "TTL=0, too many hops!\n");
662 * First things first -- look us up in the erouting tables.
664 matcher.sen_len = sizeof (struct sockaddr_encap);
665 matcher.sen_family = AF_ENCAP;
666 matcher.sen_type = SENT_IP4;
667 matcher.sen_ip_src.s_addr = iph->saddr;
668 matcher.sen_ip_dst.s_addr = iph->daddr;
671 * The spinlock is to prevent any other process from accessing or deleting
672 * the eroute while we are using and updating it.
674 spin_lock(&eroute_lock);
676 er = ipsec_findroute(&matcher);
678 if(iph->protocol == IPPROTO_UDP) {
681 sport=ntohs(skb->sk->sport);
682 dport=ntohs(skb->sk->dport);
685 if((ntohs(iph->frag_off) & IP_OFFSET) == 0 &&
686 iph->ihl << 2 > sizeof(struct iphdr) + sizeof(struct udphdr)) {
687 sport=ntohs(((struct udphdr*)((caddr_t)iph+(iph->ihl<<2)))->source);
688 dport=ntohs(((struct udphdr*)((caddr_t)iph + (iph->ihl<<2)))->dest);
694 /* default to a %drop eroute */
695 outgoing_said.proto = IPPROTO_INT;
696 outgoing_said.spi = htonl(SPI_DROP);
697 outgoing_said.dst.s_addr = INADDR_ANY;
698 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
699 "klips_debug:ipsec_tunnel_start_xmit: "
700 "checking for local udp/500 IKE packet "
701 "saddr=%x, er=%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n",
702 ntohl((unsigned int)iph->saddr),
704 ntohl((unsigned int)iph->daddr),
705 er ? ntohl((unsigned int)er->er_said.dst.s_addr) : 0,
711 * Quick cheat for now...are we udp/500? If so, let it through
712 * without interference since it is most likely an IKE packet.
715 if (ip_chk_addr((unsigned long)iph->saddr) == IS_MYADDR
717 || iph->daddr == er->er_said.dst.s_addr
718 || INADDR_ANY == er->er_said.dst.s_addr)
719 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
720 && ((sport == 500) || (sport == 4500))
725 /* Whatever the eroute, this is an IKE message
726 * from us (i.e. not being forwarded).
727 * Furthermore, if there is a tunnel eroute,
728 * the destination is the peer for this eroute.
729 * So %pass the packet: modify the default %drop.
731 outgoing_said.spi = htonl(SPI_PASS);
732 if(!(skb->sk) && ((ntohs(iph->frag_off) & IP_MF) != 0)) {
733 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
734 "klips_debug:ipsec_tunnel_start_xmit: "
735 "local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
739 er->er_lasttime = jiffies/HZ;
740 if(er->er_said.proto==IPPROTO_INT
741 && er->er_said.spi==htonl(SPI_HOLD)) {
742 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
743 "klips_debug:ipsec_tunnel_start_xmit: "
744 "shunt SA of HOLD: skb stored in HOLD.\n");
745 if(er->er_last != NULL) {
746 dev_kfree_skb(er->er_last, FREE_WRITE);
751 spin_unlock(&eroute_lock);
754 outgoing_said = er->er_said;
755 eroute_pid = er->er_pid;
756 /* Copy of the ident for the TRAP/TRAPSUBNET eroutes */
757 if(outgoing_said.proto==IPPROTO_INT
758 && (outgoing_said.spi==htonl(SPI_TRAP)
759 || (outgoing_said.spi==htonl(SPI_TRAPSUBNET)))) {
762 tdb.tdb_ident_s.type = er->er_ident_s.type;
763 tdb.tdb_ident_s.id = er->er_ident_s.id;
764 tdb.tdb_ident_s.len = er->er_ident_s.len;
765 if (tdb.tdb_ident_s.len) {
766 len = tdb.tdb_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
767 if ((tdb.tdb_ident_s.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
768 printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: "
769 "Failed, tried to allocate %d bytes for source ident.\n",
772 spin_unlock(&eroute_lock);
775 memcpy(tdb.tdb_ident_s.data, er->er_ident_s.data, len);
777 tdb.tdb_ident_d.type = er->er_ident_d.type;
778 tdb.tdb_ident_d.id = er->er_ident_d.id;
779 tdb.tdb_ident_d.len = er->er_ident_d.len;
780 if (tdb.tdb_ident_d.len) {
781 len = tdb.tdb_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
782 if ((tdb.tdb_ident_d.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
783 printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: "
784 "Failed, tried to allocate %d bytes for dest ident.\n",
787 spin_unlock(&eroute_lock);
790 memcpy(tdb.tdb_ident_d.data, er->er_ident_d.data, len);
795 spin_unlock(&eroute_lock);
797 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
798 "klips_debug:ipsec_tunnel_start_xmit: "
799 "Original head,tailroom: %d,%d\n",
800 skb_headroom(skb), skb_tailroom(skb));
803 ledman_cmd(LEDMAN_CMD_SET, LEDMAN_VPN_TX);
806 innersrc = iph->saddr;
807 /* start encapsulation loop here XXX */
809 struct ipsec_sa *tdbprev = NULL;
811 newdst = orgdst = iph->daddr;
812 newsrc = orgsrc = iph->saddr;
813 orgedst = outgoing_said.dst.s_addr;
814 iphlen = iph->ihl << 2;
815 pyldsz = ntohs(iph->tot_len) - iphlen;
816 max_headroom = max_tailroom = 0;
818 if (outgoing_said.proto == IPPROTO_INT) {
819 switch (ntohl(outgoing_said.spi)) {
821 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
822 "klips_debug:ipsec_tunnel_start_xmit: "
823 "shunt SA of DROP or no eroute: dropping.\n");
828 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
829 "klips_debug:ipsec_tunnel_start_xmit: "
830 "shunt SA of REJECT: notifying and dropping.\n");
843 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
844 "klips_debug:ipsec_tunnel_start_xmit: "
845 "PASS: calling dev_queue_xmit\n");
848 #if 1 /* now moved up to finderoute so we don't need to lock it longer */
850 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
851 "klips_debug:ipsec_tunnel_start_xmit: "
852 "shunt SA of HOLD: this does not make sense here, dropping.\n");
860 /* XXX what do we do with an unknown shunt spi? */
862 } /* switch (ntohl(outgoing_said.spi)) */
864 } /* if (outgoing_said.proto == IPPROTO_INT) */
867 The spinlock is to prevent any other process from
868 accessing or deleting the TDB hash table or any of the
869 TDBs while we are using and updating them.
871 This is not optimal, but was relatively straightforward
872 at the time. A better way to do it has been planned for
873 more than a year, to lock the hash table and put reference
874 counts on each TDB instead. This is not likely to happen
875 in KLIPS1 unless a volunteer contributes it, but will be
876 designed into KLIPS2.
878 spin_lock(&tdb_lock);
880 tdbp = ipsec_sa_getbyid(&outgoing_said);
881 sa_len = satoa(outgoing_said, 0, sa, SATOA_BUF);
884 spin_unlock(&tdb_lock);
885 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
886 "klips_debug:ipsec_tunnel_start_xmit: "
887 "no Tunnel Descriptor Block for SA%s: outgoing packet with no SA, dropped.\n",
888 sa_len ? sa : " (error)");
893 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
894 "klips_debug:ipsec_tunnel_start_xmit: "
895 "found Tunnel Descriptor Block -- SA:<%s%s%s> %s\n",
896 IPS_XFORM_NAME(tdbp),
897 sa_len ? sa : " (error)");
900 * How much headroom do we need to be able to apply
901 * all the grouped transforms?
903 tdbq = tdbp; /* save the head of the tdb chain */
905 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
907 strcpy(sa, "(error)");
910 /* If it is in larval state, drop the packet, we cannot process yet. */
911 if(tdbp->tdb_state == SADB_SASTATE_LARVAL) {
912 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
913 "klips_debug:ipsec_tunnel_start_xmit: "
914 "TDB in larval state for SA:<%s%s%s> %s, cannot be used yet, dropping packet.\n",
915 IPS_XFORM_NAME(tdbp),
916 sa_len ? sa : " (error)");
917 spin_unlock(&tdb_lock);
922 if(tdbp->tdb_state == SADB_SASTATE_DEAD) {
923 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
924 "klips_debug:ipsec_tunnel_start_xmit: "
925 "TDB in dead state for SA:<%s%s%s> %s, can no longer be used, dropping packet.\n",
926 IPS_XFORM_NAME(tdbp),
927 sa_len ? sa : " (error)");
928 spin_unlock(&tdb_lock);
933 /* If the replay window counter == -1, expire SA, it will roll */
934 if(tdbp->tdb_replaywin && tdbp->tdb_replaywin_lastseq == -1) {
935 pfkey_expire(tdbp, 1);
936 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
937 "klips_debug:ipsec_tunnel_start_xmit: "
938 "replay window counter rolled for SA:<%s%s%s> %s, packet dropped, expiring SA.\n",
939 IPS_XFORM_NAME(tdbp),
940 sa_len ? sa : " (error)");
941 ipsec_sa_delchain(tdbp);
942 spin_unlock(&tdb_lock);
948 * if this is the first time we are using this SA, mark start time,
949 * and offset hard/soft counters by "now" for later checking.
952 if(tdbp->ips_life.ipl_usetime.count == 0) {
953 tdbp->ips_life.ipl_usetime.count = jiffies;
954 tdbp->ips_life.ipl_usetime.hard += jiffies;
955 tdbp->ips_life.ipl_usetime.soft += jiffies;
960 if(ipsec_lifetime_check(&tdbp->ips_life.ipl_bytes, "bytes", sa,
961 ipsec_life_countbased, ipsec_outgoing, tdbp) == ipsec_life_harddied ||
962 ipsec_lifetime_check(&tdbp->ips_life.ipl_addtime, "addtime",sa,
963 ipsec_life_timebased, ipsec_outgoing, tdbp) == ipsec_life_harddied ||
964 ipsec_lifetime_check(&tdbp->ips_life.ipl_usetime, "usetime",sa,
965 ipsec_life_timebased, ipsec_outgoing, tdbp) == ipsec_life_harddied ||
966 ipsec_lifetime_check(&tdbp->ips_life.ipl_packets, "packets",sa,
967 ipsec_life_countbased, ipsec_outgoing, tdbp) == ipsec_life_harddied) {
969 ipsec_sa_delchain(tdbp);
970 spin_unlock(&tdb_lock);
976 headroom = tailroom = 0;
977 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
978 "klips_debug:ipsec_tunnel_start_xmit: "
979 "calling room for <%s%s%s>, SA:%s\n",
980 IPS_XFORM_NAME(tdbp),
981 sa_len ? sa : " (error)");
982 switch(tdbp->tdb_said.proto) {
983 #ifdef CONFIG_IPSEC_AH
985 headroom += sizeof(struct ah);
987 #endif /* CONFIG_IPSEC_AH */
988 #ifdef CONFIG_IPSEC_ESP
990 #ifdef CONFIG_IPSEC_ALG
991 if ((ixt_e=IPSEC_ALG_SA_ESP_ENC(tdbp))) {
992 blocksize = ixt_e->ixt_blocksize;
993 headroom += ESP_HEADER_LEN+blocksize;
995 #endif /* CONFIG_IPSEC_ALG */
996 switch(tdbp->tdb_encalg) {
997 #ifdef CONFIG_IPSEC_ENC_DES
999 headroom += sizeof(struct esp);
1001 #endif /* CONFIG_IPSEC_ENC_DES */
1002 #ifdef CONFIG_IPSEC_ENC_3DES
1004 headroom += sizeof(struct esp);
1006 #endif /* CONFIG_IPSEC_ENC_3DES */
1008 spin_unlock(&tdb_lock);
1012 #ifdef CONFIG_IPSEC_ALG
1013 if ((ixt_a=IPSEC_ALG_SA_ESP_AUTH(tdbp))) {
1014 tailroom += AHHMAC_HASHLEN;
1016 #endif /* CONFIG_IPSEC_ALG */
1017 switch(tdbp->tdb_authalg) {
1018 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
1020 tailroom += AHHMAC_HASHLEN;
1022 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
1023 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
1025 tailroom += AHHMAC_HASHLEN;
1027 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
1031 spin_unlock(&tdb_lock);
1035 tailroom += ((blocksize - ((pyldsz + 2 * sizeof(unsigned char)) % blocksize)) % blocksize) + 2;
1036 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1037 if ((tdbp->ips_natt_type) && (!natt_type)) {
1038 natt_type = tdbp->ips_natt_type;
1039 natt_sport = tdbp->ips_natt_sport;
1040 natt_dport = tdbp->ips_natt_dport;
1041 switch (natt_type) {
1042 case ESPINUDP_WITH_NON_IKE:
1043 natt_head = sizeof(struct udphdr)+(2*sizeof(__u32));
1045 case ESPINUDP_WITH_NON_ESP:
1046 natt_head = sizeof(struct udphdr);
1052 tailroom += natt_head;
1056 #endif /* !CONFIG_IPSEC_ESP */
1057 #ifdef CONFIG_IPSEC_IPIP
1059 headroom += sizeof(struct iphdr);
1061 #endif /* !CONFIG_IPSEC_IPIP */
1063 #ifdef CONFIG_IPSEC_IPCOMP
1065 We can't predict how much the packet will
1066 shrink without doing the actual compression.
1067 We could do it here, if we were the first
1068 encapsulation in the chain. That might save
1069 us a skb_copy_expand, since we might fit
1070 into the existing skb then. However, this
1071 would be a bit unclean (and this hack has
1072 bit us once), so we better not do it. After
1073 all, the skb_copy_expand is cheap in
1074 comparison to the actual compression.
1075 At least we know the packet will not grow.
1078 #endif /* CONFIG_IPSEC_IPCOMP */
1080 spin_unlock(&tdb_lock);
1084 tdbp = tdbp->tdb_onext;
1085 #ifdef CONFIG_IPSEC_ALG
1086 ixt_e = NULL; /* invalidate ipsec_alg */
1088 #endif /* CONFIG_IPSEC_ALG */
1089 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1090 "klips_debug:ipsec_tunnel_start_xmit: "
1091 "Required head,tailroom: %d,%d\n",
1092 headroom, tailroom);
1093 max_headroom += headroom;
1094 max_tailroom += tailroom;
1095 pyldsz += (headroom + tailroom);
1097 tdbp = tdbq; /* restore the head of the tdb chain */
1099 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1100 "klips_debug:ipsec_tunnel_start_xmit: "
1101 "existing head,tailroom: %d,%d before applying xforms with head,tailroom: %d,%d .\n",
1102 skb_headroom(skb), skb_tailroom(skb),
1103 max_headroom, max_tailroom);
1105 tot_headroom += max_headroom;
1106 tot_tailroom += max_tailroom;
1108 mtudiff = prv->mtu + tot_headroom + tot_tailroom - physmtu;
1110 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1111 "klips_debug:ipsec_tunnel_start_xmit: "
1112 "mtu:%d physmtu:%d tothr:%d tottr:%d mtudiff:%d ippkttotlen:%d\n",
1114 tot_headroom, tot_tailroom, mtudiff, ntohs(iph->tot_len));
1116 int newmtu = physmtu - (tot_headroom + ((tot_tailroom + 2) & ~7) + 5);
1118 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1119 "klips_info:ipsec_tunnel_start_xmit: "
1120 "dev %s mtu of %d decreased by %d to %d\n",
1128 skb->dst->pmtu = prv->mtu; /* RGB */
1132 dev->mtu = prv->mtu; /* RGB */
1138 If the sender is doing PMTU discovery, and the
1139 packet doesn't fit within prv->mtu, notify him
1140 (unless it was an ICMP packet, or it was not the
1141 zero-offset packet) and send it anyways.
1143 Note: buggy firewall configuration may prevent the
1144 ICMP packet from getting back.
1146 if(sysctl_ipsec_icmp
1147 && prv->mtu < ntohs(iph->tot_len)
1148 && (iph->frag_off & __constant_htons(IP_DF)) ) {
1149 int notify = iph->protocol != IPPROTO_ICMP
1150 && (iph->frag_off & __constant_htons(IP_OFFSET)) == 0;
1152 #ifdef IPSEC_obey_DF
1153 spin_unlock(&tdb_lock);
1154 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1155 "klips_debug:ipsec_tunnel_start_xmit: "
1156 "fragmentation needed and DF set; %sdropping packet\n",
1157 notify ? "sending ICMP and " : "");
1166 #else /* IPSEC_obey_DF */
1167 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1168 "klips_debug:ipsec_tunnel_start_xmit: "
1169 "fragmentation needed and DF set; %spassing packet\n",
1170 notify ? "sending ICMP and " : "");
1177 #endif /* IPSEC_obey_DF */
1182 * If this is a transport mode TCP packet with
1183 * SYN set, determine an effective MSS based on
1184 * AH/ESP overheads determined above.
1186 if (iph->protocol == IPPROTO_TCP
1187 && outgoing_said.proto != IPPROTO_IPIP) {
1188 struct tcphdr *tcph = skb->h.th;
1189 if (tcph->syn && !tcph->ack) {
1190 if(!ipsec_adjust_mss(skb, tcph, prv->mtu)) {
1191 spin_unlock(&tdb_lock);
1193 "klips_warning:ipsec_tunnel_start_xmit: "
1194 "ipsec_adjust_mss() failed\n");
1200 #endif /* MSS_HACK */
1202 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1203 if ((natt_type) && (outgoing_said.proto != IPPROTO_IPIP)) {
1205 * NAT-Traversal and Transport Mode:
1206 * we need to correct TCP/UDP checksum
1208 * If we've got NAT-OA, we can fix checksum without recalculation.
1209 * If we don't we can zero udp checksum.
1211 __u32 natt_oa = tdbp->ips_natt_oa ?
1212 ((struct sockaddr_in*)(tdbp->ips_natt_oa))->sin_addr.s_addr : 0;
1213 __u16 pkt_len = skb->tail - (unsigned char *)iph;
1214 __u16 data_len = pkt_len - (iph->ihl << 2);
1215 switch (iph->protocol) {
1217 if (data_len >= sizeof(struct tcphdr)) {
1218 struct tcphdr *tcp = (struct tcphdr *)((__u32 *)iph+iph->ihl);
1220 __u32 buff[2] = { ~iph->daddr, natt_oa };
1221 KLIPS_PRINT(debug_tunnel,
1222 "klips_debug:ipsec_tunnel_start_xmit: "
1223 "NAT-T & TRANSPORT: "
1224 "fix TCP checksum using NAT-OA\n");
1225 tcp->check = csum_fold(
1226 csum_partial((unsigned char *)buff, sizeof(buff),
1227 tcp->check^0xffff));
1230 KLIPS_PRINT(debug_tunnel,
1231 "klips_debug:ipsec_tunnel_start_xmit: "
1232 "NAT-T & TRANSPORT: do not recalc TCP checksum\n");
1236 KLIPS_PRINT(debug_tunnel,
1237 "klips_debug:ipsec_tunnel_start_xmit: "
1238 "NAT-T & TRANSPORT: can't fix TCP checksum\n");
1242 if (data_len >= sizeof(struct udphdr)) {
1243 struct udphdr *udp = (struct udphdr *)((__u32 *)iph+iph->ihl);
1244 if (udp->check == 0) {
1245 KLIPS_PRINT(debug_tunnel,
1246 "klips_debug:ipsec_tunnel_start_xmit: "
1247 "NAT-T & TRANSPORT: UDP checksum already 0\n");
1250 __u32 buff[2] = { ~iph->daddr, natt_oa };
1251 KLIPS_PRINT(debug_tunnel,
1252 "klips_debug:ipsec_tunnel_start_xmit: "
1253 "NAT-T & TRANSPORT: "
1254 "fix UDP checksum using NAT-OA\n");
1255 udp->check = csum_fold(
1256 csum_partial((unsigned char *)buff, sizeof(buff),
1257 udp->check^0xffff));
1260 KLIPS_PRINT(debug_tunnel,
1261 "klips_debug:ipsec_tunnel_start_xmit: "
1262 "NAT-T & TRANSPORT: zero UDP checksum\n");
1267 KLIPS_PRINT(debug_tunnel,
1268 "klips_debug:ipsec_tunnel_start_xmit: "
1269 "NAT-T & TRANSPORT: can't fix UDP checksum\n");
1273 KLIPS_PRINT(debug_tunnel,
1274 "klips_debug:ipsec_tunnel_start_xmit: "
1275 "NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
1279 #endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
1281 if(!hard_header_stripped) {
1282 if((saved_header = kmalloc(hard_header_len, GFP_ATOMIC)) == NULL) {
1283 spin_unlock(&tdb_lock);
1284 printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: "
1285 "Failed, tried to allocate %d bytes for temp hard_header.\n",
1290 for (i = 0; i < hard_header_len; i++) {
1291 saved_header[i] = skb->data[i];
1293 if(skb->len < hard_header_len) {
1294 spin_unlock(&tdb_lock);
1295 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
1296 "tried to skb_pull hhlen=%d, %d available. This should never happen, please report.\n",
1297 hard_header_len, (int)(skb->len));
1301 skb_pull(skb, hard_header_len);
1302 hard_header_stripped = 1;
1304 /* iph = (struct iphdr *) (skb->data); */
1305 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1306 "klips_debug:ipsec_tunnel_start_xmit: "
1307 "head,tailroom: %d,%d after hard_header stripped.\n",
1308 skb_headroom(skb), skb_tailroom(skb));
1309 KLIPS_IP_PRINT(debug_tunnel & DB_TN_CROUT, iph);
1311 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1312 "klips_debug:ipsec_tunnel_start_xmit: "
1313 "hard header already stripped.\n");
1316 ll_headroom = (hard_header_len + 15) & ~15;
1318 if ((skb_headroom(skb) >= max_headroom + 2 * ll_headroom) &&
1319 (skb_tailroom(skb) >= max_tailroom)
1322 #endif /* !NET_21 */
1324 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1325 "klips_debug:ipsec_tunnel_start_xmit: "
1326 "data fits in existing skb\n");
1328 struct sk_buff* tskb = skb;
1334 tskb = skb_copy_expand(skb,
1335 /* The reason for 2 * link layer length here still baffles me...RGB */
1336 max_headroom + 2 * ll_headroom,
1340 if(tskb && skb->sk) {
1341 skb_set_owner_w(tskb, skb->sk);
1344 if(!(skb == oskb) ) {
1345 dev_kfree_skb(skb, FREE_WRITE);
1349 spin_unlock(&tdb_lock);
1351 "klips_debug:ipsec_tunnel_start_xmit: "
1352 "Failed, tried to allocate %d head and %d tailroom\n",
1353 max_headroom, max_tailroom);
1357 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1358 "klips_debug:ipsec_tunnel_start_xmit: "
1359 "head,tailroom: %d,%d after allocation\n",
1360 skb_headroom(skb), skb_tailroom(skb));
1364 * Apply grouped transforms to packet
1367 #ifdef CONFIG_IPSEC_ESP
1369 __u32 iv[ESP_IV_MAXSZ_INT];
1370 unsigned char *idat, *pad;
1371 int authlen = 0, padlen = 0, i;
1372 #endif /* !CONFIG_IPSEC_ESP */
1373 #ifdef CONFIG_IPSEC_AH
1376 #endif /* CONFIG_IPSEC_AH */
1377 #if defined(CONFIG_IPSEC_AUTH_HMAC_MD5) || defined(CONFIG_IPSEC_AUTH_HMAC_SHA1)
1379 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
1381 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
1382 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
1384 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
1387 #endif /* defined(CONFIG_IPSEC_AUTH_HMAC_MD5) || defined(CONFIG_IPSEC_AUTH_HMAC_SHA1) */
1388 int headroom = 0, tailroom = 0, ilen = 0, len = 0;
1391 iphlen = iph->ihl << 2;
1392 pyldsz = ntohs(iph->tot_len) - iphlen;
1393 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
1394 KLIPS_PRINT(debug_tunnel & DB_TN_OXFS,
1395 "klips_debug:ipsec_tunnel_start_xmit: "
1396 "calling output for <%s%s%s>, SA:%s\n",
1397 IPS_XFORM_NAME(tdbp),
1398 sa_len ? sa : " (error)");
1400 switch(tdbp->tdb_said.proto) {
1401 #ifdef CONFIG_IPSEC_AH
1403 headroom += sizeof(struct ah);
1405 #endif /* CONFIG_IPSEC_AH */
1406 #ifdef CONFIG_IPSEC_ESP
1408 #ifdef CONFIG_IPSEC_ALG
1409 if ((ixt_e=IPSEC_ALG_SA_ESP_ENC(tdbp))) {
1410 blocksize = ixt_e->ixt_blocksize;
1411 headroom += ESP_HEADER_LEN+blocksize;
1413 #endif /* CONFIG_IPSEC_ALG */
1414 switch(tdbp->tdb_encalg) {
1415 #ifdef CONFIG_IPSEC_ENC_DES
1417 headroom += sizeof(struct esp);
1419 #endif /* CONFIG_IPSEC_ENC_DES */
1420 #ifdef CONFIG_IPSEC_ENC_3DES
1422 headroom += sizeof(struct esp);
1424 #endif /* CONFIG_IPSEC_ENC_3DES */
1426 spin_unlock(&tdb_lock);
1430 #ifdef CONFIG_IPSEC_ALG
1431 if ((ixt_a=IPSEC_ALG_SA_ESP_AUTH(tdbp))) {
1432 authlen = AHHMAC_HASHLEN;
1434 #endif /* CONFIG_IPSEC_ALG */
1435 switch(tdbp->tdb_authalg) {
1436 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
1438 authlen = AHHMAC_HASHLEN;
1440 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
1441 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
1443 authlen = AHHMAC_HASHLEN;
1445 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
1449 spin_unlock(&tdb_lock);
1453 tailroom += ((blocksize - ((pyldsz + 2 * sizeof(unsigned char)) % blocksize)) % blocksize) + 2;
1454 tailroom += authlen;
1456 #endif /* !CONFIG_IPSEC_ESP */
1457 #ifdef CONFIG_IPSEC_IPIP
1459 headroom += sizeof(struct iphdr);
1461 #endif /* !CONFIG_IPSEC_IPIP */
1462 #ifdef CONFIG_IPSEC_IPCOMP
1465 #endif /* CONFIG_IPSEC_IPCOMP */
1467 spin_unlock(&tdb_lock);
1472 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1473 "klips_debug:ipsec_tunnel_start_xmit: "
1474 "pushing %d bytes, putting %d, proto %d.\n",
1475 headroom, tailroom, tdbp->tdb_said.proto);
1476 if(skb_headroom(skb) < headroom) {
1477 spin_unlock(&tdb_lock);
1479 "klips_error:ipsec_tunnel_start_xmit: "
1480 "tried to skb_push headroom=%d, %d available. This should never happen, please report.\n",
1481 headroom, skb_headroom(skb));
1485 dat = skb_push(skb, headroom);
1486 ilen = skb->len - tailroom;
1487 if(skb_tailroom(skb) < tailroom) {
1488 spin_unlock(&tdb_lock);
1490 "klips_error:ipsec_tunnel_start_xmit: "
1491 "tried to skb_put %d, %d available. This should never happen, please report.\n",
1492 tailroom, skb_tailroom(skb));
1496 skb_put(skb, tailroom);
1497 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1498 "klips_debug:ipsec_tunnel_start_xmit: "
1499 "head,tailroom: %d,%d before xform.\n",
1500 skb_headroom(skb), skb_tailroom(skb));
1503 spin_unlock(&tdb_lock);
1504 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
1505 "tot_len (%d) > 65520. This should never happen, please report.\n",
1510 memmove((void *)dat, (void *)(dat + headroom), iphlen);
1511 iph = (struct iphdr *)dat;
1512 iph->tot_len = htons(skb->len);
1514 switch(tdbp->tdb_said.proto) {
1515 #ifdef CONFIG_IPSEC_ESP
1517 espp = (struct esp *)(dat + iphlen);
1518 espp->esp_spi = tdbp->tdb_said.spi;
1519 espp->esp_rpl = htonl(++(tdbp->tdb_replaywin_lastseq));
1521 #ifdef CONFIG_IPSEC_ALG
1523 #endif /* CONFIG_IPSEC_ALG */
1524 switch(tdbp->tdb_encalg) {
1525 #if defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES)
1526 #ifdef CONFIG_IPSEC_ENC_DES
1528 #endif /* CONFIG_IPSEC_ENC_DES */
1529 #ifdef CONFIG_IPSEC_ENC_3DES
1531 #endif /* CONFIG_IPSEC_ENC_3DES */
1532 iv[0] = *((__u32*)&(espp->esp_iv) ) =
1533 ((__u32*)(tdbp->tdb_iv))[0];
1534 iv[1] = *((__u32*)&(espp->esp_iv) + 1) =
1535 ((__u32*)(tdbp->tdb_iv))[1];
1537 #endif /* defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES) */
1538 #ifdef CONFIG_IPSEC_ENC_NULL
1541 #endif /* CONFIG_IPSEC_ENC_NULL */
1543 spin_unlock(&tdb_lock);
1548 idat = dat + iphlen + headroom;
1549 ilen = len - (iphlen + headroom + authlen);
1551 /* Self-describing padding */
1552 pad = &dat[len - tailroom];
1553 padlen = tailroom - 2 - authlen;
1554 for (i = 0; i < padlen; i++) {
1557 dat[len - authlen - 2] = padlen;
1559 dat[len - authlen - 1] = iph->protocol;
1560 iph->protocol = IPPROTO_ESP;
1562 #ifdef CONFIG_IPSEC_ALG
1563 /* Do all operations here:
1564 * copy IV->ESP, encrypt, update ips IV
1568 memcpy(espp->esp_iv,
1570 ixt_e->ixt_blocksize);
1571 ret=ipsec_alg_esp_encrypt(tdbp,
1572 idat, ilen, espp->esp_iv,
1574 memcpy(tdbp->ips_iv,
1575 idat + ilen - ixt_e->ixt_blocksize,
1576 ixt_e->ixt_blocksize);
1578 #endif /* CONFIG_IPSEC_ALG */
1579 switch(tdbp->tdb_encalg) {
1580 #ifdef CONFIG_IPSEC_ENC_DES
1582 des_cbc_encrypt(idat, idat, ilen,
1583 (caddr_t)tdbp->tdb_key_e,
1586 #endif /* CONFIG_IPSEC_ENC_DES */
1587 #ifdef CONFIG_IPSEC_ENC_3DES
1589 des_ede3_cbc_encrypt((des_cblock *)idat,
1592 ((struct des_eks *)(tdbp->tdb_key_e))[0].ks,
1593 ((struct des_eks *)(tdbp->tdb_key_e))[1].ks,
1594 ((struct des_eks *)(tdbp->tdb_key_e))[2].ks,
1595 (des_cblock *)iv, 1);
1597 #endif /* CONFIG_IPSEC_ENC_3DES */
1599 spin_unlock(&tdb_lock);
1603 #ifdef CONFIG_IPSEC_ALG
1605 #endif /* CONFIG_IPSEC_ALG */
1607 switch(tdbp->tdb_encalg) {
1608 #if defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES)
1609 #ifdef CONFIG_IPSEC_ENC_DES
1611 #endif /* CONFIG_IPSEC_ENC_DES */
1612 #ifdef CONFIG_IPSEC_ENC_3DES
1614 #endif /* CONFIG_IPSEC_ENC_3DES */
1615 /* XXX update IV with the last 8 octets of the encryption */
1616 ((__u32*)(tdbp->tdb_iv))[0] =
1617 ((__u32 *)(idat))[(ilen >> 2) - 2];
1618 ((__u32*)(tdbp->tdb_iv))[1] =
1619 ((__u32 *)(idat))[(ilen >> 2) - 1];
1621 #endif /* defined(CONFIG_IPSEC_ENC_DES) || defined(CONFIG_IPSEC_ENC_3DES) */
1622 #ifdef CONFIG_IPSEC_ENC_NULL
1625 #endif /* CONFIG_IPSEC_ENC_NULL */
1627 spin_unlock(&tdb_lock);
1631 #ifdef CONFIG_IPSEC_ALG
1633 ipsec_alg_sa_esp_hash(tdbp,
1634 (caddr_t)espp, len - iphlen - authlen,
1635 &(dat[len - authlen]), authlen);
1638 #endif /* CONFIG_IPSEC_ALG */
1640 switch(tdbp->tdb_authalg) {
1641 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
1643 dmp("espp", (char*)espp, len - iphlen - authlen);
1644 tctx.md5 = ((struct md5_ctx*)(tdbp->tdb_key_a))->ictx;
1645 dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5));
1646 MD5Update(&tctx.md5, (caddr_t)espp, len - iphlen - authlen);
1647 dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5));
1648 MD5Final(hash, &tctx.md5);
1649 dmp("ictx hash", (char*)&hash, sizeof(hash));
1650 tctx.md5 = ((struct md5_ctx*)(tdbp->tdb_key_a))->octx;
1651 dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5));
1652 MD5Update(&tctx.md5, hash, AHMD596_ALEN);
1653 dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5));
1654 MD5Final(hash, &tctx.md5);
1655 dmp("octx hash", (char*)&hash, sizeof(hash));
1656 memcpy(&(dat[len - authlen]), hash, authlen);
1659 memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5));
1660 memset((caddr_t)hash, 0, sizeof(*hash));
1662 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
1663 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
1665 tctx.sha1 = ((struct sha1_ctx*)(tdbp->tdb_key_a))->ictx;
1666 SHA1Update(&tctx.sha1, (caddr_t)espp, len - iphlen - authlen);
1667 SHA1Final(hash, &tctx.sha1);
1668 tctx.sha1 = ((struct sha1_ctx*)(tdbp->tdb_key_a))->octx;
1669 SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN);
1670 SHA1Final(hash, &tctx.sha1);
1671 memcpy(&(dat[len - authlen]), hash, authlen);
1674 memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1));
1675 memset((caddr_t)hash, 0, sizeof(*hash));
1677 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
1681 spin_unlock(&tdb_lock);
1686 skb->h.raw = (unsigned char*)espp;
1689 #endif /* !CONFIG_IPSEC_ESP */
1690 #ifdef CONFIG_IPSEC_AH
1692 ahp = (struct ah *)(dat + iphlen);
1693 ahp->ah_spi = tdbp->tdb_said.spi;
1694 ahp->ah_rpl = htonl(++(tdbp->tdb_replaywin_lastseq));
1696 ahp->ah_nh = iph->protocol;
1697 ahp->ah_hl = (headroom >> 2) - sizeof(__u64)/sizeof(__u32);
1698 iph->protocol = IPPROTO_AH;
1699 dmp("ahp", (char*)ahp, sizeof(*ahp));
1706 dmp("ipo", (char*)&ipo, sizeof(ipo));
1708 switch(tdbp->tdb_authalg) {
1709 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
1711 tctx.md5 = ((struct md5_ctx*)(tdbp->tdb_key_a))->ictx;
1712 dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5));
1713 MD5Update(&tctx.md5, (unsigned char *)&ipo, sizeof (struct iphdr));
1714 dmp("ictx+ipo", (char*)&tctx.md5, sizeof(tctx.md5));
1715 MD5Update(&tctx.md5, (unsigned char *)ahp, headroom - sizeof(ahp->ah_data));
1716 dmp("ictx+ahp", (char*)&tctx.md5, sizeof(tctx.md5));
1717 MD5Update(&tctx.md5, (unsigned char *)zeroes, AHHMAC_HASHLEN);
1718 dmp("ictx+zeroes", (char*)&tctx.md5, sizeof(tctx.md5));
1719 MD5Update(&tctx.md5, dat + iphlen + headroom, len - iphlen - headroom);
1720 dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5));
1721 MD5Final(hash, &tctx.md5);
1722 dmp("ictx hash", (char*)&hash, sizeof(hash));
1723 tctx.md5 = ((struct md5_ctx*)(tdbp->tdb_key_a))->octx;
1724 dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5));
1725 MD5Update(&tctx.md5, hash, AHMD596_ALEN);
1726 dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5));
1727 MD5Final(hash, &tctx.md5);
1728 dmp("octx hash", (char*)&hash, sizeof(hash));
1730 memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN);
1733 memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5));
1734 memset((caddr_t)hash, 0, sizeof(hash));
1736 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
1737 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
1739 tctx.sha1 = ((struct sha1_ctx*)(tdbp->tdb_key_a))->ictx;
1740 SHA1Update(&tctx.sha1, (unsigned char *)&ipo, sizeof (struct iphdr));
1741 SHA1Update(&tctx.sha1, (unsigned char *)ahp, headroom - sizeof(ahp->ah_data));
1742 SHA1Update(&tctx.sha1, (unsigned char *)zeroes, AHHMAC_HASHLEN);
1743 SHA1Update(&tctx.sha1, dat + iphlen + headroom, len - iphlen - headroom);
1744 SHA1Final(hash, &tctx.sha1);
1745 tctx.sha1 = ((struct sha1_ctx*)(tdbp->tdb_key_a))->octx;
1746 SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN);
1747 SHA1Final(hash, &tctx.sha1);
1749 memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN);
1752 memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1));
1753 memset((caddr_t)hash, 0, sizeof(hash));
1755 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
1757 spin_unlock(&tdb_lock);
1762 skb->h.raw = (unsigned char*)ahp;
1765 #endif /* CONFIG_IPSEC_AH */
1766 #ifdef CONFIG_IPSEC_IPIP
1769 switch(sysctl_ipsec_tos) {
1772 iph->tos = skb->nh.iph->tos;
1774 iph->tos = skb->ip_hdr->tos;
1785 iph->ttl = sysctl_ip_default_ttl;
1786 #else /* NETDEV_23 */
1787 iph->ttl = ip_statistics.IpDefaultTTL;
1788 #endif /* NETDEV_23 */
1790 iph->ttl = 64; /* ip_statistics.IpDefaultTTL; */
1793 iph->saddr = ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr;
1794 iph->daddr = ((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr.s_addr;
1795 iph->protocol = IPPROTO_IPIP;
1796 iph->ihl = sizeof(struct iphdr) >> 2 /* 5 */;
1797 #ifdef IP_SELECT_IDENT
1798 /* XXX use of skb->dst below is a questionable
1799 substitute for &rt->u.dst which is only
1800 available later-on */
1801 #ifdef IP_SELECT_IDENT_NEW
1802 ip_select_ident(iph, skb->dst, NULL);
1803 #else /* IP_SELECT_IDENT_NEW */
1804 ip_select_ident(iph, skb->dst);
1805 #endif /* IP_SELECT_IDENT_NEW */
1806 #else /* IP_SELECT_IDENT */
1807 iph->id = htons(ip_id_count++); /* Race condition here? */
1808 #endif /* IP_SELECT_IDENT */
1810 newdst = (__u32)iph->daddr;
1811 newsrc = (__u32)iph->saddr;
1814 skb->h.ipiph = skb->nh.iph;
1817 #endif /* !CONFIG_IPSEC_IPIP */
1818 #ifdef CONFIG_IPSEC_IPCOMP
1821 unsigned int flags = 0;
1822 #ifdef CONFIG_IPSEC_DEBUG
1823 unsigned int old_tot_len = ntohs(iph->tot_len);
1824 #endif /* CONFIG_IPSEC_DEBUG */
1825 tdbp->tdb_comp_ratio_dbytes += ntohs(iph->tot_len);
1827 skb = skb_compress(skb, tdbp, &flags);
1835 tdbp->tdb_comp_ratio_cbytes += ntohs(iph->tot_len);
1837 #ifdef CONFIG_IPSEC_DEBUG
1838 if (debug_tunnel & DB_TN_CROUT)
1840 if (old_tot_len > ntohs(iph->tot_len))
1841 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1842 "klips_debug:ipsec_tunnel_start_xmit: "
1843 "packet shrunk from %d to %d bytes after compression, cpi=%04x (should be from spi=%08x, spi&0xffff=%04x.\n",
1844 old_tot_len, ntohs(iph->tot_len),
1845 ntohs(((struct ipcomphdr*)(((char*)iph) + ((iph->ihl) << 2)))->ipcomp_cpi),
1846 ntohl(tdbp->tdb_said.spi),
1847 (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff));
1849 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1850 "klips_debug:ipsec_tunnel_start_xmit: "
1851 "packet did not compress (flags = %d).\n",
1854 #endif /* CONFIG_IPSEC_DEBUG */
1857 #endif /* CONFIG_IPSEC_IPCOMP */
1859 spin_unlock(&tdb_lock);
1865 skb->nh.raw = skb->data;
1867 skb->ip_hdr = skb->h.iph = (struct iphdr *) skb->data;
1870 iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
1872 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1873 "klips_debug:ipsec_tunnel_start_xmit: "
1874 "after <%s%s%s>, SA:%s:\n",
1875 IPS_XFORM_NAME(tdbp),
1876 sa_len ? sa : " (error)");
1877 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph);
1879 tdbp->ips_life.ipl_bytes.ipl_count += len;
1880 tdbp->ips_life.ipl_bytes.ipl_last = len;
1882 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
1883 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
1885 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
1886 tdbp->ips_life.ipl_packets.ipl_count++;
1889 tdbp = tdbp->ips_onext;
1890 #ifdef CONFIG_IPSEC_ALG
1891 ixt_e = NULL; /* invalidate ipsec_alg */
1893 #endif /* CONFIG_IPSEC_ALG */
1896 /* end encapsulation loop here XXX */
1898 spin_unlock(&tdb_lock);
1900 matcher.sen_ip_src.s_addr = iph->saddr;
1901 matcher.sen_ip_dst.s_addr = iph->daddr;
1902 spin_lock(&eroute_lock);
1903 er = ipsec_findroute(&matcher);
1905 outgoing_said = er->er_said;
1906 eroute_pid = er->er_pid;
1908 er->er_lasttime = jiffies/HZ;
1910 spin_unlock(&eroute_lock);
1911 KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
1912 /* ((orgdst != newdst) || (orgsrc != newsrc)) */
1913 (orgedst != outgoing_said.dst.s_addr) &&
1914 outgoing_said.dst.s_addr &&
1916 "klips_debug:ipsec_tunnel_start_xmit: "
1917 "We are recursing here.\n");
1918 } while(/*((orgdst != newdst) || (orgsrc != newsrc))*/
1919 (orgedst != outgoing_said.dst.s_addr) &&
1920 outgoing_said.dst.s_addr &&
1923 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1924 "klips_debug:ipsec_tunnel_start_xmit: "
1925 "After recursive xforms -- head,tailroom: %d,%d\n",
1926 skb_headroom(skb), skb_tailroom(skb));
1929 if(skb_headroom(skb) < hard_header_len) {
1931 "klips_error:ipsec_tunnel_start_xmit: "
1932 "tried to skb_push hhlen=%d, %d available. This should never happen, please report.\n",
1933 hard_header_len, skb_headroom(skb));
1937 skb_push(skb, hard_header_len);
1938 for (i = 0; i < hard_header_len; i++) {
1939 skb->data[i] = saved_header[i];
1942 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1943 if (natt_type && natt_head) {
1944 struct iphdr *ipp = skb->nh.iph;
1946 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1947 "klips_debug:ipsec_tunnel_start_xmit: "
1948 "encapsuling packet into UDP (NAT-Traversal)\n");
1949 iphlen = ipp->ihl << 2;
1951 htons(ntohs(ipp->tot_len) + natt_head);
1952 if(skb_tailroom(skb) < natt_head) {
1953 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
1954 "tried to skb_put %d, %d available. "
1955 "This should never happen, please report.\n",
1961 skb_put(skb, natt_head);
1962 udp = (struct udphdr *)((char *)ipp + iphlen);
1963 /* move ESP hdr after UDP hdr */
1964 memmove((void *)((char *)udp + natt_head),
1966 ntohs(ipp->tot_len) - iphlen - natt_head);
1967 /* clear UDP & Non-IKE Markers (if any) */
1968 memset(udp, 0, natt_head);
1969 /* fill UDP with usefull informations ;-) */
1970 udp->source = htons(natt_sport);
1971 udp->dest = htons(natt_dport);
1972 udp->len = htons(ntohs(ipp->tot_len) - iphlen);
1974 ipp->protocol = IPPROTO_UDP;
1975 /* fix IP checksum */
1977 ipp->check = ip_fast_csum((unsigned char *)ipp, ipp->ihl);
1981 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1982 "klips_debug:ipsec_tunnel_start_xmit: "
1983 "With hard_header, final head,tailroom: %d,%d\n",
1984 skb_headroom(skb), skb_tailroom(skb));
1986 #ifdef NET_21 /* 2.2 and 2.4 kernels */
1987 /* new route/dst cache code from James Morris */
1989 /*skb_orphan(skb);*/
1990 if((error = ip_route_output(&rt,
1992 pass ? 0 : skb->nh.iph->saddr,
1993 RT_TOS(skb->nh.iph->tos),
1994 physdev->iflink /* rgb: should this be 0? */))) {
1996 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1997 "klips_debug:ipsec_tunnel_start_xmit: "
1998 "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
2000 rt->u.dst.dev->name);
2003 if(dev == rt->u.dst.dev) {
2005 /* This is recursion, drop it. */
2007 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2008 "klips_debug:ipsec_tunnel_start_xmit: "
2009 "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n", dev->name);
2012 dst_release(skb->dst);
2013 skb->dst = &rt->u.dst;
2014 stats->tx_bytes += skb->len;
2015 if(skb->len < skb->nh.raw - skb->data) {
2018 "klips_error:ipsec_tunnel_start_xmit: "
2019 "tried to __skb_pull nh-data=%d, %d available. This should never happen, please report.\n",
2020 skb->nh.raw - skb->data, skb->len);
2023 __skb_pull(skb, skb->nh.raw - skb->data);
2024 #ifdef SKB_RESET_NFCT
2025 nf_conntrack_put(skb->nfct);
2027 #ifdef CONFIG_NETFILTER_DEBUG
2029 #endif /* CONFIG_NETFILTER_DEBUG */
2030 #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
2031 nf_bridge_put(skb->nf_bridge);
2032 skb->nf_bridge = NULL;
2034 #endif /* SKB_RESET_NFCT */
2035 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2036 "klips_debug:ipsec_tunnel_start_xmit: "
2037 "...done, calling ip_send() on device:%s\n",
2038 skb->dev ? skb->dev->name : "NULL");
2039 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, skb->nh.iph);
2040 #ifdef NETDEV_23 /* 2.4 kernels */
2044 err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
2045 ipsec_tunnel_xmit2);
2046 if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
2049 "klips_error:ipsec_tunnel_start_xmit: "
2050 "ip_send() failed, err=%d\n",
2053 stats->tx_aborted_errors++;
2058 #else /* NETDEV_23 */ /* 2.2 kernels */
2060 #endif /* NETDEV_23 */
2061 #else /* NET_21 */ /* 2.0 kernels */
2063 /* ISDN/ASYNC PPP from Matjaz Godec. */
2064 /* skb->protocol = htons(ETH_P_IP); */
2065 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2066 "klips_debug:ipsec_tunnel_start_xmit: "
2067 "...done, calling dev_queue_xmit() or ip_fragment().\n");
2068 IP_SEND(skb, physdev);
2070 stats->tx_packets++;
2074 #if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
2075 netif_wake_queue(dev);
2076 #else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
2078 #endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
2080 kfree(saved_header);
2083 dev_kfree_skb(skb, FREE_WRITE);
2086 dev_kfree_skb(oskb, FREE_WRITE);
2088 if (tdb.tdb_ident_s.data) {
2089 kfree(tdb.tdb_ident_s.data);
2091 if (tdb.tdb_ident_d.data) {
2092 kfree(tdb.tdb_ident_d.data);
2097 DEBUG_NO_STATIC struct net_device_stats *
2098 ipsec_tunnel_get_stats(struct device *dev)
2100 return &(((struct ipsecpriv *)(dev->priv))->mystats);
2105 * For each of these calls, a field exists in our private structure.
2109 ipsec_tunnel_hard_header(struct sk_buff *skb, struct device *dev,
2110 unsigned short type, void *daddr, void *saddr, unsigned len)
2112 struct ipsecpriv *prv = dev->priv;
2115 struct net_device_stats *stats; /* This device's statistics */
2118 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2119 "klips_debug:ipsec_tunnel_hard_header: "
2125 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2126 "klips_debug:ipsec_tunnel_hard_header: "
2131 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2132 "klips_debug:ipsec_tunnel_hard_header: "
2133 "skb->dev=%s dev=%s.\n",
2134 skb->dev ? skb->dev->name : "NULL",
2138 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2139 "klips_debug:ipsec_tunnel_hard_header: "
2140 "no private space associated with dev=%s\n",
2141 dev->name ? dev->name : "NULL");
2145 stats = (struct net_device_stats *) &(prv->mystats);
2147 if(prv->dev == NULL) {
2148 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2149 "klips_debug:ipsec_tunnel_hard_header: "
2150 "no physical device associated with dev=%s\n",
2151 dev->name ? dev->name : "NULL");
2152 stats->tx_dropped++;
2156 /* check if we have to send a IPv6 packet. It might be a Router
2157 Solicitation, where the building of the packet happens in
2162 -> skb->nh.raw is still uninitialized when this function is
2163 called!! If this is no IPv6 packet, we can print debugging
2164 messages, otherwise we skip all debugging messages and just
2165 build the ll header */
2166 if(type != ETH_P_IPV6) {
2167 /* execute this only, if we don't have to build the
2168 header for a IPv6 packet */
2169 if(!prv->hard_header) {
2170 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2171 "klips_debug:ipsec_tunnel_hard_header: "
2172 "physical device has been detached, packet dropped 0x%p->0x%p len=%d type=%d dev=%s->NULL ",
2179 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
2181 (__u32)ntohl(skb->nh.iph->saddr),
2182 (__u32)ntohl(skb->nh.iph->daddr) );
2184 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
2186 (__u32)ntohl(skb->ip_hdr->saddr),
2187 (__u32)ntohl(skb->ip_hdr->daddr) );
2189 stats->tx_dropped++;
2193 #define da ((struct device *)(prv->dev))->dev_addr
2194 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2195 "klips_debug:ipsec_tunnel_hard_header: "
2196 "Revectored 0x%p->0x%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
2203 da[0], da[1], da[2], da[3], da[4], da[5]);
2205 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
2207 (__u32)ntohl(skb->nh.iph->saddr),
2208 (__u32)ntohl(skb->nh.iph->daddr) );
2210 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
2212 (__u32)ntohl(skb->ip_hdr->saddr),
2213 (__u32)ntohl(skb->ip_hdr->daddr) );
2216 KLIPS_PRINT(debug_tunnel,
2217 "klips_debug:ipsec_tunnel_hard_header: "
2218 "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
2221 skb->dev = prv->dev;
2222 ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
2229 ipsec_tunnel_rebuild_header(struct sk_buff *skb)
2231 ipsec_tunnel_rebuild_header(void *buff, struct device *dev,
2232 unsigned long raddr, struct sk_buff *skb)
2235 struct ipsecpriv *prv = skb->dev->priv;
2238 struct net_device_stats *stats; /* This device's statistics */
2240 if(skb->dev == NULL) {
2241 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2242 "klips_debug:ipsec_tunnel_rebuild_header: "
2248 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2249 "klips_debug:ipsec_tunnel_rebuild_header: "
2250 "no private space associated with dev=%s",
2251 skb->dev->name ? skb->dev->name : "NULL");
2255 stats = (struct net_device_stats *) &(prv->mystats);
2257 if(prv->dev == NULL) {
2258 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2259 "klips_debug:ipsec_tunnel_rebuild_header: "
2260 "no physical device associated with dev=%s",
2261 skb->dev->name ? skb->dev->name : "NULL");
2262 stats->tx_dropped++;
2266 if(!prv->rebuild_header) {
2267 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2268 "klips_debug:ipsec_tunnel_rebuild_header: "
2269 "physical device has been detached, packet dropped skb->dev=%s->NULL ",
2272 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2274 (__u32)ntohl(skb->nh.iph->saddr),
2275 (__u32)ntohl(skb->nh.iph->daddr) );
2277 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2279 (__u32)ntohl(skb->ip_hdr->saddr),
2280 (__u32)ntohl(skb->ip_hdr->daddr) );
2282 stats->tx_dropped++;
2286 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2287 "klips_debug:ipsec_tunnel: "
2288 "Revectored rebuild_header dev=%s->%s ",
2289 skb->dev->name, prv->dev->name);
2291 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2293 (__u32)ntohl(skb->nh.iph->saddr),
2294 (__u32)ntohl(skb->nh.iph->daddr) );
2296 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2298 (__u32)ntohl(skb->ip_hdr->saddr),
2299 (__u32)ntohl(skb->ip_hdr->daddr) );
2302 skb->dev = prv->dev;
2305 ret = prv->rebuild_header(skb);
2307 ret = prv->rebuild_header(buff, prv->dev, raddr, skb);
2314 ipsec_tunnel_set_mac_address(struct device *dev, void *addr)
2316 struct ipsecpriv *prv = dev->priv;
2318 struct net_device_stats *stats; /* This device's statistics */
2321 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2322 "klips_debug:ipsec_tunnel_set_mac_address: "
2328 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2329 "klips_debug:ipsec_tunnel_set_mac_address: "
2330 "no private space associated with dev=%s",
2331 dev->name ? dev->name : "NULL");
2335 stats = (struct net_device_stats *) &(prv->mystats);
2337 if(prv->dev == NULL) {
2338 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2339 "klips_debug:ipsec_tunnel_set_mac_address: "
2340 "no physical device associated with dev=%s",
2341 dev->name ? dev->name : "NULL");
2342 stats->tx_dropped++;
2346 if(!prv->set_mac_address) {
2347 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2348 "klips_debug:ipsec_tunnel_set_mac_address: "
2349 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
2354 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2355 "klips_debug:ipsec_tunnel_set_mac_address: "
2356 "Revectored dev=%s->%s addr=%p\n",
2357 dev->name, prv->dev->name, addr);
2358 return prv->set_mac_address(prv->dev, addr);
2363 DEBUG_NO_STATIC void
2364 ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct device *dev,
2365 unsigned short htype, __u32 daddr)
2367 struct ipsecpriv *prv = dev->priv;
2369 struct net_device_stats *stats; /* This device's statistics */
2372 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2373 "klips_debug:ipsec_tunnel_cache_bind: "
2379 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2380 "klips_debug:ipsec_tunnel_cache_bind: "
2381 "no private space associated with dev=%s",
2382 dev->name ? dev->name : "NULL");
2386 stats = (struct net_device_stats *) &(prv->mystats);
2388 if(prv->dev == NULL) {
2389 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2390 "klips_debug:ipsec_tunnel_cache_bind: "
2391 "no physical device associated with dev=%s",
2392 dev->name ? dev->name : "NULL");
2393 stats->tx_dropped++;
2397 if(!prv->header_cache_bind) {
2398 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2399 "klips_debug:ipsec_tunnel_cache_bind: "
2400 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
2402 stats->tx_dropped++;
2406 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2407 "klips_debug:ipsec_tunnel_cache_bind: "
2409 prv->header_cache_bind(hhp, prv->dev, htype, daddr);
2412 #endif /* !NET_21 */
2415 DEBUG_NO_STATIC void
2416 ipsec_tunnel_cache_update(struct hh_cache *hh, struct device *dev, unsigned char * haddr)
2418 struct ipsecpriv *prv = dev->priv;
2420 struct net_device_stats *stats; /* This device's statistics */
2423 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2424 "klips_debug:ipsec_tunnel_cache_update: "
2430 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2431 "klips_debug:ipsec_tunnel_cache_update: "
2432 "no private space associated with dev=%s",
2433 dev->name ? dev->name : "NULL");
2437 stats = (struct net_device_stats *) &(prv->mystats);
2439 if(prv->dev == NULL) {
2440 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2441 "klips_debug:ipsec_tunnel_cache_update: "
2442 "no physical device associated with dev=%s",
2443 dev->name ? dev->name : "NULL");
2444 stats->tx_dropped++;
2448 if(!prv->header_cache_update) {
2449 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2450 "klips_debug:ipsec_tunnel_cache_update: "
2451 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
2456 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2457 "klips_debug:ipsec_tunnel: "
2458 "Revectored cache_update\n");
2459 prv->header_cache_update(hh, prv->dev, haddr);
2465 ipsec_tunnel_neigh_setup(struct neighbour *n)
2467 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2468 "klips_debug:ipsec_tunnel_neigh_setup:\n");
2470 if (n->nud_state == NUD_NONE) {
2471 n->ops = &arp_broken_ops;
2472 n->output = n->ops->output;
2478 ipsec_tunnel_neigh_setup_dev(struct device *dev, struct neigh_parms *p)
2480 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2481 "klips_debug:ipsec_tunnel_neigh_setup_dev: "
2483 dev ? dev->name : "NULL");
2485 if (p->tbl->family == AF_INET) {
2486 p->neigh_setup = ipsec_tunnel_neigh_setup;
2487 p->ucast_probes = 0;
2488 p->mcast_probes = 0;
2495 * We call the attach routine to attach another device.
2499 ipsec_tunnel_attach(struct device *dev, struct device *physdev)
2502 struct ipsecpriv *prv = dev->priv;
2505 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2506 "klips_debug:ipsec_tunnel_attach: "
2512 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2513 "klips_debug:ipsec_tunnel_attach: "
2514 "no private space associated with dev=%s",
2515 dev->name ? dev->name : "NULL");
2520 prv->hard_start_xmit = physdev->hard_start_xmit;
2521 prv->get_stats = physdev->get_stats;
2523 if (physdev->hard_header) {
2524 prv->hard_header = physdev->hard_header;
2525 dev->hard_header = ipsec_tunnel_hard_header;
2527 dev->hard_header = NULL;
2529 if (physdev->rebuild_header) {
2530 prv->rebuild_header = physdev->rebuild_header;
2531 dev->rebuild_header = ipsec_tunnel_rebuild_header;
2533 dev->rebuild_header = NULL;
2535 if (physdev->set_mac_address) {
2536 prv->set_mac_address = physdev->set_mac_address;
2537 dev->set_mac_address = ipsec_tunnel_set_mac_address;
2539 dev->set_mac_address = NULL;
2542 if (physdev->header_cache_bind) {
2543 prv->header_cache_bind = physdev->header_cache_bind;
2544 dev->header_cache_bind = ipsec_tunnel_cache_bind;
2546 dev->header_cache_bind = NULL;
2547 #endif /* !NET_21 */
2549 if (physdev->header_cache_update) {
2550 prv->header_cache_update = physdev->header_cache_update;
2551 dev->header_cache_update = ipsec_tunnel_cache_update;
2553 dev->header_cache_update = NULL;
2555 dev->hard_header_len = physdev->hard_header_len;
2558 /* prv->neigh_setup = physdev->neigh_setup; */
2559 dev->neigh_setup = ipsec_tunnel_neigh_setup_dev;
2561 dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
2562 prv->mtu = physdev->mtu;
2565 dev->type = physdev->type /* ARPHRD_TUNNEL */; /* initially */
2566 #endif /* PHYSDEV_TYPE */
2568 dev->addr_len = physdev->addr_len;
2569 for (i=0; i<dev->addr_len; i++) {
2570 dev->dev_addr[i] = physdev->dev_addr[i];
2572 #ifdef CONFIG_IPSEC_DEBUG
2573 if(debug_tunnel & DB_TN_INIT) {
2574 printk(KERN_INFO "klips_debug:ipsec_tunnel_attach: "
2575 "physical device %s being attached has HW address: %2x",
2576 physdev->name, physdev->dev_addr[0]);
2577 for (i=1; i < physdev->addr_len; i++) {
2578 printk(":%02x", physdev->dev_addr[i]);
2582 #endif /* CONFIG_IPSEC_DEBUG */
2588 * We call the detach routine to detach the ipsec tunnel from another device.
2592 ipsec_tunnel_detach(struct device *dev)
2595 struct ipsecpriv *prv = dev->priv;
2598 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2599 "klips_debug:ipsec_tunnel_detach: "
2605 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2606 "klips_debug:ipsec_tunnel_detach: "
2607 "no private space associated with dev=%s",
2608 dev->name ? dev->name : "NULL");
2612 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2613 "klips_debug:ipsec_tunnel_detach: "
2614 "physical device %s being detached from virtual device %s\n",
2615 prv->dev ? prv->dev->name : "NULL",
2619 prv->hard_start_xmit = NULL;
2620 prv->get_stats = NULL;
2622 prv->hard_header = NULL;
2623 #ifdef DETACH_AND_DOWN
2624 dev->hard_header = NULL;
2625 #endif /* DETACH_AND_DOWN */
2627 prv->rebuild_header = NULL;
2628 #ifdef DETACH_AND_DOWN
2629 dev->rebuild_header = NULL;
2630 #endif /* DETACH_AND_DOWN */
2632 prv->set_mac_address = NULL;
2633 #ifdef DETACH_AND_DOWN
2634 dev->set_mac_address = NULL;
2635 #endif /* DETACH_AND_DOWN */
2638 prv->header_cache_bind = NULL;
2639 #ifdef DETACH_AND_DOWN
2640 dev->header_cache_bind = NULL;
2641 #endif /* DETACH_AND_DOWN */
2642 #endif /* !NET_21 */
2644 prv->header_cache_update = NULL;
2645 #ifdef DETACH_AND_DOWN
2646 dev->header_cache_update = NULL;
2647 #endif /* DETACH_AND_DOWN */
2650 /* prv->neigh_setup = NULL; */
2651 #ifdef DETACH_AND_DOWN
2652 dev->neigh_setup = NULL;
2653 #endif /* DETACH_AND_DOWN */
2655 dev->hard_header_len = 0;
2656 #ifdef DETACH_AND_DOWN
2658 #endif /* DETACH_AND_DOWN */
2660 for (i=0; i<MAX_ADDR_LEN; i++) {
2661 dev->dev_addr[i] = 0;
2665 dev->type = ARPHRD_TUNNEL;
2666 #endif /* PHYSDEV_TYPE */
2672 * We call the clear routine to detach all ipsec tunnels from other devices.
2675 ipsec_tunnel_clear(void)
2678 struct device *ipsecdev = NULL, *prvdev;
2679 struct ipsecpriv *prv;
2683 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2684 "klips_debug:ipsec_tunnel_clear: .\n");
2686 for(i = 0; i < IPSEC_NUM_IF; i++) {
2687 sprintf(name, "ipsec%d", i);
2688 if((ipsecdev = ipsec_dev_get(name)) != NULL) {
2689 if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
2690 prvdev = (struct device *)(prv->dev);
2692 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2693 "klips_debug:ipsec_tunnel_clear: "
2694 "physical device for device %s is %s\n",
2695 name, prvdev->name);
2696 if((ret = ipsec_tunnel_detach(ipsecdev))) {
2697 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2698 "klips_debug:ipsec_tunnel_clear: "
2699 "error %d detatching device %s from device %s.\n",
2700 ret, name, prvdev->name);
2711 ipsec_tunnel_ioctl(struct device *dev, struct ifreq *ifr, int cmd)
2713 struct ipsectunnelconf *cf = (struct ipsectunnelconf *)&ifr->ifr_data;
2714 struct ipsecpriv *prv = dev->priv;
2715 struct device *them; /* physical device */
2716 #if defined(NET_21) && defined(CONFIG_IP_ALIAS)
2718 char realphysname[IFNAMSIZ];
2719 #endif /* NET_21 && CONFIG_IP_ALIAS */
2722 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2723 "klips_debug:ipsec_tunnel_ioctl: "
2724 "device not supplied.\n");
2728 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2729 "klips_debug:ipsec_tunnel_ioctl: "
2730 "tncfg service call #%d for dev=%s\n",
2732 dev->name ? dev->name : "NULL");
2734 /* attach a virtual ipsec? device to a physical device */
2736 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2737 "klips_debug:ipsec_tunnel_ioctl: "
2738 "calling ipsec_tunnel_attatch...\n");
2739 #if defined(NET_21) && defined(CONFIG_IP_ALIAS)
2740 /* If this is an IP alias interface, get its real physical name */
2741 strncpy(realphysname, cf->cf_name, IFNAMSIZ);
2742 realphysname[IFNAMSIZ-1] = 0;
2743 colon = strchr(realphysname, ':');
2744 if (colon) *colon = 0;
2745 them = ipsec_dev_get(realphysname);
2746 #else /* NET_21 && CONFIG_IP_ALIAS */
2747 them = ipsec_dev_get(cf->cf_name);
2748 #endif /* NET_21 && CONFIG_IP_ALIAS */
2751 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2752 "klips_debug:ipsec_tunnel_ioctl: "
2753 "physical device %s requested is null\n",
2759 if (them->flags & IFF_UP) {
2760 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2761 "klips_debug:ipsec_tunnel_ioctl: "
2762 "physical device %s requested is not up.\n",
2768 if (prv && prv->dev) {
2769 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2770 "klips_debug:ipsec_tunnel_ioctl: "
2771 "virtual device is already connected to %s.\n",
2772 prv->dev->name ? prv->dev->name : "NULL");
2775 return ipsec_tunnel_attach(dev, them);
2778 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2779 "klips_debug:ipsec_tunnel_ioctl: "
2780 "calling ipsec_tunnel_detatch.\n");
2782 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2783 "klips_debug:ipsec_tunnel_ioctl: "
2784 "physical device not connected.\n");
2787 return ipsec_tunnel_detach(dev);
2790 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2791 "klips_debug:ipsec_tunnel_ioctl: "
2792 "calling ipsec_tunnel_clear.\n");
2793 return ipsec_tunnel_clear();
2796 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2797 "klips_debug:ipsec_tunnel_ioctl: "
2798 "unknown command %d.\n",
2805 ipsec_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
2807 struct device *dev = ptr;
2808 struct device *ipsec_dev;
2809 struct ipsecpriv *priv;
2814 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2815 "klips_debug:ipsec_device_event: "
2816 "dev=NULL for event type %ld.\n",
2818 return(NOTIFY_DONE);
2821 /* check for loopback devices */
2822 if (dev && (dev->flags & IFF_LOOPBACK)) {
2823 return(NOTIFY_DONE);
2828 /* look very carefully at the scope of these compiler
2829 directives before changing anything... -- RGB */
2831 case NETDEV_UNREGISTER:
2835 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2836 "klips_debug:ipsec_device_event: "
2837 "NETDEV_DOWN dev=%s flags=%x\n",
2840 if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) {
2841 printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n",
2846 case NETDEV_UNREGISTER:
2847 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2848 "klips_debug:ipsec_device_event: "
2849 "NETDEV_UNREGISTER dev=%s flags=%x\n",
2856 /* find the attached physical device and detach it. */
2857 for(i = 0; i < IPSEC_NUM_IF; i++) {
2858 sprintf(name, "ipsec%d", i);
2859 ipsec_dev = ipsec_dev_get(name);
2861 priv = (struct ipsecpriv *)(ipsec_dev->priv);
2864 if(((struct device *)(priv->dev)) == dev) {
2865 /* dev_close(ipsec_dev); */
2866 /* return */ ipsec_tunnel_detach(ipsec_dev);
2867 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2868 "klips_debug:ipsec_device_event: "
2869 "device '%s' has been detached.\n",
2874 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2875 "klips_debug:ipsec_device_event: "
2876 "device '%s' has no private data space!\n",
2883 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2884 "klips_debug:ipsec_device_event: "
2885 "NETDEV_UP dev=%s\n",
2890 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2891 "klips_debug:ipsec_device_event: "
2892 "NETDEV_REBOOT dev=%s\n",
2896 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2897 "klips_debug:ipsec_device_event: "
2898 "NETDEV_CHANGE dev=%s flags=%x\n",
2902 case NETDEV_REGISTER:
2903 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2904 "klips_debug:ipsec_device_event: "
2905 "NETDEV_REGISTER dev=%s\n",
2908 case NETDEV_CHANGEMTU:
2909 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2910 "klips_debug:ipsec_device_event: "
2911 "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
2915 case NETDEV_CHANGEADDR:
2916 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2917 "klips_debug:ipsec_device_event: "
2918 "NETDEV_CHANGEADDR dev=%s\n",
2921 case NETDEV_GOING_DOWN:
2922 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2923 "klips_debug:ipsec_device_event: "
2924 "NETDEV_GOING_DOWN dev=%s\n",
2927 case NETDEV_CHANGENAME:
2928 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2929 "klips_debug:ipsec_device_event: "
2930 "NETDEV_CHANGENAME dev=%s\n",
2935 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2936 "klips_debug:ipsec_device_event: "
2937 "event type %ld unrecognised for dev=%s\n",
2946 * Called when an ipsec tunnel device is initialized.
2947 * The ipsec tunnel device structure is passed to us.
2951 ipsec_tunnel_init(struct device *dev)
2957 "klips_debug:ipsec_tunnel_init: "
2958 "initialisation of device: %s\n",
2959 dev->name ? dev->name : "NULL");
2962 /* Add our tunnel functions to the device */
2963 dev->open = ipsec_tunnel_open;
2964 dev->stop = ipsec_tunnel_close;
2965 dev->hard_start_xmit = ipsec_tunnel_start_xmit;
2966 dev->get_stats = ipsec_tunnel_get_stats;
2968 dev->priv = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL);
2969 if (dev->priv == NULL)
2971 memset(dev->priv, 0, sizeof(struct ipsecpriv));
2973 for(i = 0; i < sizeof(zeroes); i++) {
2974 ((__u8*)(zeroes))[i] = 0;
2978 /* Initialize the tunnel device structure */
2979 for (i = 0; i < DEV_NUMBUFFS; i++)
2980 skb_queue_head_init(&dev->buffs[i]);
2981 #endif /* !NET_21 */
2983 dev->set_multicast_list = NULL;
2984 dev->do_ioctl = ipsec_tunnel_ioctl;
2985 dev->hard_header = NULL;
2986 dev->rebuild_header = NULL;
2987 dev->set_mac_address = NULL;
2989 dev->header_cache_bind = NULL;
2990 #endif /* !NET_21 */
2991 dev->header_cache_update= NULL;
2994 /* prv->neigh_setup = NULL; */
2995 dev->neigh_setup = ipsec_tunnel_neigh_setup_dev;
2997 dev->hard_header_len = 0;
3000 dev->type = ARPHRD_TUNNEL; /* 0 */ /* ARPHRD_ETHER; */ /* initially */
3001 dev->tx_queue_len = 10; /* Small queue */
3002 memset(dev->broadcast,0xFF, ETH_ALEN); /* what if this is not attached to ethernet? */
3004 /* New-style flags. */
3005 dev->flags = IFF_NOARP /* 0 */ /* Petr Novak */;
3007 dev_init_buffers(dev);
3009 dev->family = AF_INET;
3011 dev->pa_brdaddr = 0;
3016 /* We're done. Have I forgotten anything? */
3020 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
3021 /* Module specific interface (but it links with the rest of IPSEC */
3022 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
3025 ipsec_tunnel_probe(struct device *dev)
3027 ipsec_tunnel_init(dev);
3031 static struct device dev_ipsec3 =
3033 "ipsec3\0 ", /* name */
3034 0, /* recv memory end */
3035 0, /* recv memory start */
3037 0, /* memory start */
3038 0x0, /* base I/O address */
3040 0, 0, 0, /* flags */
3041 NULL, /* next device */
3042 ipsec_tunnel_probe /* setup */
3045 static struct device dev_ipsec2 =
3047 "ipsec2\0 ", /* name */
3048 0, /* recv memory end */
3049 0, /* recv memory start */
3051 0, /* memory start */
3052 0x0, /* base I/O address */
3054 0, 0, 0, /* flags */
3055 NULL, /* next device */
3056 ipsec_tunnel_probe /* setup */
3059 static struct device dev_ipsec1 =
3061 "ipsec1\0 ", /* name */
3062 0, /* recv memory end */
3063 0, /* recv memory start */
3065 0, /* memory start */
3066 0x0, /* base I/O address */
3068 0, 0, 0, /* flags */
3069 NULL, /* next device */
3070 ipsec_tunnel_probe /* setup */
3073 static struct device dev_ipsec0 =
3075 "ipsec0\0 ", /* name */
3076 0, /* recv memory end */
3077 0, /* recv memory start */
3079 0, /* memory start */
3080 0x0, /* base I/O address */
3082 0, 0, 0, /* flags */
3083 NULL, /* next device */
3084 ipsec_tunnel_probe /* setup */
3088 ipsec_tunnel_init_devices(void)
3091 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
3092 "klips_debug:ipsec_tunnel_init_devices: "
3093 "registering device %s\n",
3096 if (register_netdev(&dev_ipsec0) != 0)
3099 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
3100 "klips_debug:ipsec_tunnel_init_devices: "
3101 "registering device %s\n",
3104 if (register_netdev(&dev_ipsec1) != 0)
3107 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
3108 "klips_debug:ipsec_tunnel_init_devices: "
3109 "registering device %s\n",
3112 if (register_netdev(&dev_ipsec2) != 0)
3115 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
3116 "klips_debug:ipsec_tunnel_init_devices: "
3117 "registering device %s\n",
3120 if (register_netdev(&dev_ipsec3) != 0)
3127 ipsec_tunnel_cleanup_devices(void)
3131 unregister_netdev(&dev_ipsec0);
3132 unregister_netdev(&dev_ipsec1);
3133 unregister_netdev(&dev_ipsec2);
3134 unregister_netdev(&dev_ipsec3);
3135 kfree(dev_ipsec0.priv);
3136 kfree(dev_ipsec1.priv);
3137 kfree(dev_ipsec2.priv);
3138 kfree(dev_ipsec3.priv);
3139 dev_ipsec0.priv=NULL;
3140 dev_ipsec1.priv=NULL;
3141 dev_ipsec2.priv=NULL;
3142 dev_ipsec3.priv=NULL;
3148 * $Log: ipsec_tunnel.c,v $
3149 * Revision 1.187 2002/03/23 19:55:17 rgb
3150 * Fix for 2.2 local IKE fragmentation blackhole. Still won't work if
3151 * iptraf or another pcap app is running.
3153 * Revision 1.186 2002/03/19 03:26:22 rgb
3154 * Applied DHR's tunnel patch to streamline IKE/specialSA processing.
3156 * Revision 1.185 2002/02/20 04:13:05 rgb
3157 * Send back ICMP_PKT_FILTERED upon %reject.
3159 * Revision 1.184 2002/01/29 17:17:56 mcr
3160 * moved include of ipsec_param.h to after include of linux/kernel.h
3161 * otherwise, it seems that some option that is set in ipsec_param.h
3162 * screws up something subtle in the include path to kernel.h, and
3163 * it complains on the snprintf() prototype.
3165 * Revision 1.183 2002/01/29 04:00:53 mcr
3166 * more excise of kversions.h header.
3168 * Revision 1.182 2002/01/29 02:13:18 mcr
3169 * introduction of ipsec_kversion.h means that include of
3170 * ipsec_param.h must preceed any decisions about what files to
3171 * include to deal with differences in kernel source.
3173 * Revision 1.181 2002/01/07 20:00:33 rgb
3174 * Added IKE destination port debugging.
3176 * Revision 1.180 2001/12/21 21:49:54 rgb
3177 * Fixed bug as a result of moving IKE bypass above %trap/%hold code.
3179 * Revision 1.179 2001/12/19 21:08:14 rgb
3180 * Added transport protocol ports to ipsec_print_ip().
3181 * Update eroute info for non-SA targets.
3182 * Added obey DF code disabled.
3183 * Fixed formatting bugs in ipsec_tunnel_hard_header().
3185 * Revision 1.178 2001/12/05 09:36:10 rgb
3186 * Moved the UDP/500 IKE check just above the %hold/%trap checks to avoid
3187 * IKE packets being stolen by the %hold (and returned to the sending KMd
3188 * in an ACQUIRE, ironically ;-).
3190 * Revision 1.177 2001/11/26 09:23:50 rgb
3191 * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
3193 * Revision 1.170.2.1 2001/09/25 02:28:27 mcr
3194 * struct tdb -> struct ipsec_sa.
3195 * lifetime checks moved to common routines.
3196 * cleaned up includes.
3198 * Revision 1.170.2.2 2001/10/22 21:08:01 mcr
3199 * include des.h, removed phony prototypes and fixed calling
3200 * conventions to match real prototypes.
3202 * Revision 1.176 2001/11/09 18:32:31 rgb
3203 * Added Hans Schultz' fragmented UDP/500 IKE socket port selector.
3205 * Revision 1.175 2001/11/06 20:47:00 rgb
3206 * Added Eric Espie's TRAPSUBNET fix, minus spin-lock-bh dabbling.
3208 * Revision 1.174 2001/11/06 19:50:43 rgb
3209 * Moved IP_SEND, ICMP_SEND, DEV_QUEUE_XMIT macros to ipsec_tunnel.h for
3210 * use also by pfkey_v2_parser.c
3212 * Revision 1.173 2001/10/29 21:53:44 henry
3213 * tone down the device-down message slightly, until we can make it smarter
3215 * Revision 1.172 2001/10/26 04:59:37 rgb
3216 * Added a critical level syslog message if an ipsec device goes down.
3218 * Revision 1.171 2001/10/18 04:45:21 rgb
3219 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
3220 * lib/freeswan.h version macros moved to lib/kversions.h.
3221 * Other compiler directive cleanups.
3223 * Revision 1.170 2001/09/25 00:09:50 rgb
3224 * Added NetCelo's TRAPSUBNET code to convert a new type TRAPSUBNET into a
3227 * Revision 1.169 2001/09/15 16:24:05 rgb
3228 * Re-inject first and last HOLD packet when an eroute REPLACE is done.
3230 * Revision 1.168 2001/09/14 16:58:37 rgb
3231 * Added support for storing the first and last packets through a HOLD.
3233 * Revision 1.167 2001/09/08 21:13:33 rgb
3234 * Added pfkey ident extension support for ISAKMPd. (NetCelo)
3236 * Revision 1.166 2001/08/27 19:47:59 rgb
3237 * Clear tdb before usage.
3238 * Added comment: clear IF before calling routing?
3240 * Revision 1.165 2001/07/03 01:23:53 rgb
3241 * Send back ICMP iff DF set, !ICMP, offset==0, sysctl_icmp, iph->tot_len >
3242 * emtu, and don't drop.
3244 * Revision 1.164 2001/06/14 19:35:10 rgb
3245 * Update copyright date.
3247 * Revision 1.163 2001/06/06 20:28:51 rgb
3248 * Added sanity checks for NULL skbs and devices.
3249 * Added more debugging output to various functions.
3250 * Removed redundant dev->priv argument to ipsec_tunnel_{at,de}tach().
3251 * Renamed ipsec_tunnel_attach() virtual and physical device arguments.
3252 * Corrected neigh_setup() device function assignment.
3253 * Keep valid pointers to ipsec_tunnel_*() on detach.
3254 * Set dev->type to the originally-initiallised value.
3256 * Revision 1.162 2001/06/01 07:28:04 rgb
3257 * Added sanity checks for detached devices. Don't down virtual devices
3258 * to prevent packets going out in the clear if the detached device comes
3261 * Revision 1.161 2001/05/30 08:14:52 rgb
3262 * Removed vestiges of esp-null transforms.
3263 * NetDev Notifier instrumentation to track down disappearing devices.
3265 * Revision 1.160 2001/05/29 05:15:12 rgb
3266 * Added SS' PMTU patch which notifies sender if packet doesn't fit
3267 * physical MTU (if it wasn't ICMP) and then drops it.
3269 * Revision 1.159 2001/05/27 06:12:12 rgb
3270 * Added structures for pid, packet count and last access time to eroute.
3271 * Added packet count to beginning of /proc/net/ipsec_eroute.
3273 * Revision 1.158 2001/05/24 05:39:33 rgb
3274 * Applied source zeroing to 2.2 ip_route_output() call as well to enable
3275 * PASS eroutes for opportunism.
3277 * Revision 1.157 2001/05/23 22:35:28 rgb
3278 * 2.4 source override simplification.
3280 * Revision 1.156 2001/05/23 21:41:31 rgb
3281 * Added error return code printing on ip_route_output().
3283 * Revision 1.155 2001/05/23 05:09:13 rgb
3284 * Fixed incorrect ip_route_output() failure message.
3286 * Revision 1.154 2001/05/21 14:53:31 rgb
3287 * Added debug statement for case when ip_route_output() fails, causing
3288 * packet to be dropped, but log looked ok.
3290 * Revision 1.153 2001/05/19 02:37:54 rgb
3291 * Fixed missing comment termination.
3293 * Revision 1.152 2001/05/19 02:35:50 rgb
3294 * Debug code optimisation for non-debug speed.
3295 * Kernel version compiler define comments.
3296 * 2.2 and 2.4 kernel ip_send device and ip debug output added.
3298 * Revision 1.151 2001/05/18 16:17:35 rgb
3299 * Changed reference from "magic" to "shunt" SAs.
3301 * Revision 1.150 2001/05/18 16:12:19 rgb
3302 * Changed UDP/500 bypass test from 3 nested ifs to one anded if.
3304 * Revision 1.149 2001/05/16 04:39:33 rgb
3305 * Add default == eroute.dest to IKE bypass conditions for magic eroutes.
3307 * Revision 1.148 2001/05/05 03:31:41 rgb
3308 * IP frag debugging updates and enhancements.
3310 * Revision 1.147 2001/05/03 19:41:40 rgb
3311 * Added SS' skb_cow fix for 2.4.4.
3313 * Revision 1.146 2001/04/30 19:28:16 rgb
3314 * Update for 2.4.4. ip_select_ident() now has 3 args.
3316 * Revision 1.145 2001/04/23 14:56:10 rgb
3317 * Added spin_lock() check to prevent double-locking for multiple
3318 * transforms and hence kernel lock-ups with SMP kernels.
3320 * Revision 1.144 2001/04/21 23:04:45 rgb
3321 * Define out skb->used for 2.4 kernels.
3322 * Check if soft expire has already been sent before sending another to
3323 * prevent ACQUIRE flooding.
3325 * Revision 1.143 2001/03/16 07:37:21 rgb
3326 * Added comments to all #endifs.
3328 * Revision 1.142 2001/02/28 05:03:27 rgb
3329 * Clean up and rationalise startup messages.
3331 * Revision 1.141 2001/02/27 22:24:54 rgb
3332 * Re-formatting debug output (line-splitting, joining, 1arg/line).
3333 * Check for satoa() return codes.
3335 * Revision 1.140 2001/02/27 06:40:12 rgb
3336 * Fixed TRAP->HOLD eroute byte order.
3338 * Revision 1.139 2001/02/26 20:38:59 rgb
3339 * Added compiler defines for 2.4.x-specific code.
3341 * Revision 1.138 2001/02/26 19:57:27 rgb
3342 * Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
3343 * of the new SPD and to support opportunistic.
3344 * Drop sysctl_ipsec_{no_eroute_pass,opportunistic}, replaced by magic SAs.
3346 * Revision 1.137 2001/02/19 22:29:49 rgb
3347 * Fixes for presence of active ipv6 segments which share ipsec physical
3350 * Revision 1.136 2001/01/29 22:30:38 rgb
3351 * Fixed minor acquire debug printing bug.
3353 * Revision 1.135 2001/01/29 22:19:45 rgb
3354 * Zero source address for 2.4 bypass route lookup.
3356 * Revision 1.134 2001/01/23 20:19:49 rgb
3357 * 2.4 fix to remove removed is_clone member.
3359 * Revision 1.133 2000/12/09 22:08:35 rgb
3360 * Fix NET_23 bug, should be NETDEV_23.
3362 * Revision 1.132 2000/12/01 06:54:50 rgb
3363 * Fix for new 2.4 IP TTL default variable name.
3365 * Revision 1.131 2000/11/09 20:52:15 rgb
3366 * More spinlock shuffling, locking earlier and unlocking later in rcv to
3367 * include ipcomp and prevent races, renaming some tdb variables that got
3368 * forgotten, moving some unlocks to include tdbs and adding a missing
3369 * unlock. Thanks to Svenning for some of these.
3371 * Revision 1.130 2000/11/09 20:11:22 rgb
3372 * Minor shuffles to fix non-standard kernel config option selection.
3374 * Revision 1.129 2000/11/06 04:32:49 rgb
3375 * Clean up debug printing.
3376 * Copy skb->protocol for all kernel versions.
3377 * Ditched spin_lock_irqsave in favour of spin_lock.
3378 * Disabled TTL decrement, done in ip_forward.
3379 * Added debug printing before pfkey_acquire().
3380 * Fixed printk-deltdbchain-spin_lock races (Svenning).
3381 * Use defaultTTL for 2.1+ kernels.
3382 * Add Svenning's adaptive content compression.
3383 * Fix up debug display arguments.
3385 * Revision 1.128 2000/09/28 00:58:57 rgb
3386 * Moved the IKE passthrough check after the eroute lookup so we can pass
3387 * IKE through intermediate tunnels.
3389 * Revision 1.127 2000/09/22 17:52:11 rgb
3390 * Fixed misleading ipcomp debug output.
3392 * Revision 1.126 2000/09/22 04:22:56 rgb
3393 * Fixed dumb spi->cpi conversion error.
3395 * Revision 1.125 2000/09/21 04:34:48 rgb
3396 * A few debug-specific things should be hidden under
3397 * CONFIG_IPSEC_DEBUG.(MB)
3398 * Improved ip_send() error handling.(MB)
3400 * Revision 1.124 2000/09/21 03:40:58 rgb
3401 * Added more debugging to try and track down the cpi outward copy problem.
3403 * Revision 1.123 2000/09/19 07:08:49 rgb
3404 * Added debugging to outgoing compression report.
3406 * Revision 1.122 2000/09/18 19:21:26 henry
3407 * RGB-supplied fix for RH5.2 problem
3409 * Revision 1.121 2000/09/17 21:05:09 rgb
3410 * Added tdb to skb_compress call to write in cpi.
3412 * Revision 1.120 2000/09/17 16:57:16 rgb
3413 * Added Svenning's patch to remove restriction of ipcomp to innermost
3416 * Revision 1.119 2000/09/15 11:37:01 rgb
3417 * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
3418 * IPCOMP zlib deflate code.
3420 * Revision 1.118 2000/09/15 04:57:16 rgb
3421 * Moved debug output after sanity check.
3422 * Added tos copy sysctl.
3424 * Revision 1.117 2000/09/12 03:22:51 rgb
3425 * Converted ipsec_icmp, no_eroute_pass, opportunistic and #if0 debugs to
3428 * Revision 1.116 2000/09/08 19:18:19 rgb
3429 * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
3430 * Added outgoing opportunistic hook, ifdef'ed out.
3432 * Revision 1.115 2000/08/30 05:27:29 rgb
3433 * Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst.
3434 * Kill remainder of tdb_xform, tdb_xdata, xformsw.
3436 * Revision 1.114 2000/08/28 18:15:46 rgb
3437 * Added MB's nf-debug reset patch.
3439 * Revision 1.113 2000/08/27 02:26:40 rgb
3440 * Send all no-eroute-bypass, pluto-bypass and passthrough packets through
3441 * fragmentation machinery for 2.0, 2.2 and 2.4 kernels.
3443 * Revision 1.112 2000/08/20 21:37:33 rgb
3444 * Activated pfkey_expire() calls.
3445 * Added a hard/soft expiry parameter to pfkey_expire(). (Momchil)
3446 * Re-arranged the order of soft and hard expiry to conform to RFC2367.
3447 * Clean up references to CONFIG_IPSEC_PFKEYv2.
3449 * Revision 1.111 2000/08/01 14:51:51 rgb
3450 * Removed _all_ remaining traces of DES.
3452 * Revision 1.110 2000/07/28 14:58:31 rgb
3453 * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
3455 * Revision 1.109 2000/07/28 13:50:54 rgb
3456 * Changed enet_statistics to net_device_stats and added back compatibility
3459 * Revision 1.108 2000/05/16 03:03:11 rgb
3460 * Updates for 2.3.99pre8 from MB.
3462 * Revision 1.107 2000/05/10 23:08:21 rgb
3463 * Print a debug warning about bogus packets received by the outgoing
3464 * processing machinery only when klipsdebug is not set to none.
3465 * Comment out the device initialisation informational messages.
3467 * Revision 1.106 2000/05/10 19:17:14 rgb
3468 * Define an IP_SEND macro, intending to have all packet passthroughs
3469 * use fragmentation. This didn't quite work, but is a step in the
3471 * Added buffer allocation debugging statements.
3472 * Added configure option to shut off no eroute passthrough.
3473 * Only check usetime against soft and hard limits if the tdb has been
3475 * Cast output of ntohl so that the broken prototype doesn't make our
3478 * Revision 1.105 2000/03/22 16:15:37 rgb
3479 * Fixed renaming of dev_get (MB).
3481 * Revision 1.104 2000/03/16 14:04:15 rgb
3482 * Indented headers for readability.
3483 * Fixed debug scope to enable compilation with debug off.
3484 * Added macros for ip_chk_addr and IS_MYADDR for identifying self.
3486 * Revision 1.103 2000/03/16 07:11:07 rgb
3487 * Hardcode PF_KEYv2 support.
3488 * Fixed bug which allowed UDP/500 packet from another machine
3489 * through in the clear.
3490 * Added disabled skb->protocol fix for ISDN/ASYNC PPP from Matjaz Godec.
3492 * Revision 1.102 2000/03/14 12:26:59 rgb
3493 * Added skb->nfct support for clearing netfilter conntrack bits (MB).
3495 * Revision 1.101 2000/02/14 21:05:22 rgb
3496 * Added MB's netif_queue fix for kernels 2.3.43+.
3498 * Revision 1.100 2000/01/26 10:04:57 rgb
3499 * Fixed noisy 2.0 printk arguments.
3501 * Revision 1.99 2000/01/21 06:16:25 rgb
3502 * Added sanity checks on skb_push(), skb_pull() to prevent panics.
3503 * Switched to AF_ENCAP macro.
3504 * Shortened debug output per packet and re-arranging debug_tunnel
3505 * bitmap flags, while retaining necessary information to avoid
3506 * trampling the kernel print ring buffer.
3507 * Reformatted recursion switch code.
3508 * Changed all references to tdb_proto to tdb_said.proto for clarity.
3510 * Revision 1.98 2000/01/13 08:09:31 rgb
3511 * Shuffled debug_tunnel switches to focus output.
3512 * Fixed outgoing recursion bug, limiting to recursing only if the remote
3513 * SG changes and if it is valid, ie. not passthrough.
3514 * Clarified a number of debug messages.
3516 * Revision 1.97 2000/01/10 16:37:16 rgb
3517 * MB support for new ip_select_ident() upon disappearance of
3518 * ip_id_count in 2.3.36+.
3520 * Revision 1.96 1999/12/31 14:59:08 rgb
3521 * MB fix to use new skb_copy_expand in kernel 2.3.35.
3523 * Revision 1.95 1999/12/29 21:15:44 rgb
3524 * Fix tncfg to aliased device bug.
3526 * Revision 1.94 1999/12/22 04:26:06 rgb
3527 * Converted all 'static' functions to 'DEBUG_NO_STATIC' to enable
3528 * debugging by providing external labels to all functions with debugging
3531 * Revision 1.93 1999/12/13 13:30:14 rgb
3532 * Changed MTU reports and HW address reporting back to debug only.
3534 * Revision 1.92 1999/12/07 18:57:56 rgb
3535 * Fix PFKEY symbol compile error (SADB_*) without pfkey enabled.
3537 * Revision 1.91 1999/12/01 22:15:36 rgb
3538 * Add checks for LARVAL and DEAD SAs.
3539 * Change state of SA from MATURE to DYING when a soft lifetime is
3540 * reached and print debug warning.
3542 * Revision 1.90 1999/11/23 23:04:04 rgb
3543 * Use provided macro ADDRTOA_BUF instead of hardcoded value.
3544 * Sort out pfkey and freeswan headers, putting them in a library path.
3546 * Revision 1.89 1999/11/18 18:50:59 rgb
3547 * Changed all device registrations for static linking to
3548 * dynamic to reduce the number and size of patches.
3550 * Revision 1.88 1999/11/18 04:09:19 rgb
3551 * Replaced all kernel version macros to shorter, readable form.
3553 * Revision 1.87 1999/11/17 15:53:40 rgb
3554 * Changed all occurrences of #include "../../../lib/freeswan.h"
3555 * to #include <freeswan.h> which works due to -Ilibfreeswan in the
3556 * klips/net/ipsec/Makefile.
3558 * Revision 1.86 1999/10/16 18:25:37 rgb
3559 * Moved SA lifetime expiry checks before packet processing.
3560 * Expire SA on replay counter rollover.
3562 * Revision 1.85 1999/10/16 04:24:31 rgb
3563 * Add stats for time since last packet.
3565 * Revision 1.84 1999/10/16 00:30:47 rgb
3566 * Added SA lifetime counting.
3568 * Revision 1.83 1999/10/15 22:15:57 rgb
3572 * Revision 1.82 1999/10/08 18:26:19 rgb
3573 * Fix 2.0.3x outgoing fragmented packet memory leak.
3575 * Revision 1.81 1999/10/05 02:38:54 rgb
3576 * Lower the default mtu of virtual devices to 16260.
3578 * Revision 1.80 1999/10/03 18:56:41 rgb
3579 * Spinlock support for 2.3.xx.
3580 * Don't forget to undo spinlocks on error!
3581 * Check for valid eroute before copying the structure.
3583 * Revision 1.79 1999/10/01 15:44:53 rgb
3584 * Move spinlock header include to 2.1> scope.
3586 * Revision 1.78 1999/10/01 00:02:43 rgb
3587 * Added tdb structure locking.
3588 * Added eroute structure locking.
3590 * Revision 1.77 1999/09/30 02:52:29 rgb
3591 * Add Marc Boucher's Copy-On-Write code (same as ipsec_rcv.c).
3593 * Revision 1.76 1999/09/25 19:31:27 rgb
3594 * Refine MSS hack to affect SYN, but not SYN+ACK packets.
3596 * Revision 1.75 1999/09/24 22:52:38 rgb
3597 * Fix two things broken in 2.0.38 by trying to fix network notifiers.
3599 * Revision 1.74 1999/09/24 00:30:37 rgb
3600 * Add test for changed source as well as destination to check for
3603 * Revision 1.73 1999/09/23 20:52:24 rgb
3604 * Add James Morris' MSS hack patch, disabled.
3606 * Revision 1.72 1999/09/23 20:22:40 rgb
3607 * Enable, tidy and fix network notifier code.
3609 * Revision 1.71 1999/09/23 18:09:05 rgb
3610 * Clean up 2.2.x fragmenting traces.
3611 * Disable dev->type switching, forcing ARPHRD_TUNNEL.
3613 * Revision 1.70 1999/09/22 14:14:24 rgb
3614 * Add sanity checks for revectored calls to prevent calling a downed I/F.
3616 * Revision 1.69 1999/09/21 15:00:57 rgb
3617 * Add Marc Boucher's packet size check.
3618 * Flesh out network device notifier code.
3620 * Revision 1.68 1999/09/18 11:39:57 rgb
3621 * Start to add (disabled) netdevice notifier code.
3623 * Revision 1.67 1999/09/17 23:44:40 rgb
3624 * Add a comment warning potential code hackers to stay away from mac.raw.
3626 * Revision 1.66 1999/09/17 18:04:02 rgb
3627 * Add fix for unpredictable hard_header_len for ISDN folks (thanks MB).
3628 * Ditch TTL decrement in 2.2 (MB).
3630 * Revision 1.65 1999/09/15 23:15:35 henry
3631 * Marc Boucher's PPP fixes
3633 * Revision 1.64 1999/09/07 13:40:53 rgb
3634 * Ditch unreliable references to skb->mac.raw.
3636 * Revision 1.63 1999/08/28 11:33:09 rgb
3637 * Check for null skb->mac pointer.
3639 * Revision 1.62 1999/08/28 02:02:30 rgb
3640 * Add Marc Boucher's fix for properly dealing with skb->sk.
3642 * Revision 1.61 1999/08/27 05:23:05 rgb
3643 * Clean up skb->data/raw/nh/h manipulation.
3644 * Add Marc Boucher's mods to aid tcpdump.
3645 * Add sanity checks to skb->raw/nh/h pointer copies in skb_copy_expand.
3646 * Re-order hard_header stripping -- might be able to remove it...
3648 * Revision 1.60 1999/08/26 20:01:02 rgb
3649 * Tidy up compiler directives and macros.
3650 * Re-enable ICMP for tunnels where inner_dst != outer_dst.
3651 * Remove unnecessary skb->dev = physdev assignment affecting 2.2.x.
3653 * Revision 1.59 1999/08/25 15:44:41 rgb
3654 * Clean up from 2.2.x instrumenting for compilation under 2.0.36.
3656 * Revision 1.58 1999/08/25 15:00:54 rgb
3657 * Add dst cache code for 2.2.xx.
3658 * Add sanity check for skb packet header pointers.
3659 * Add/modify debugging instrumentation to *_start_xmit, *_hard_header and
3661 * Add neigh_* cache code.
3662 * Change dev->type back to ARPHRD_TUNNEL.
3664 * Revision 1.57 1999/08/17 21:50:23 rgb
3665 * Fixed minor debug output bugs.
3666 * Regrouped error recovery exit code.
3667 * Added compiler directives to remove unwanted code and symbols.
3668 * Shut off ICMP messages: to be refined to only send ICMP to remote systems.
3669 * Add debugging code for output function addresses.
3670 * Fix minor bug in (possibly unused) header_cache_bind function.
3671 * Add device neighbour caching code.
3672 * Change dev->type from ARPHRD_TUNNEL to physdev->type.
3674 * Revision 1.56 1999/08/03 17:22:56 rgb
3675 * Debug output clarification using KERN_* macros. Other inactive changes
3678 * Revision 1.55 1999/08/03 16:58:46 rgb
3679 * Fix skb_copy_expand size bug. Was getting incorrect size.
3681 * Revision 1.54 1999/07/14 19:32:38 rgb
3682 * Fix oversize packet crash and ssh stalling in 2.2.x kernels.
3684 * Revision 1.53 1999/06/10 15:44:02 rgb
3685 * Minor reformatting and clean-up.
3687 * Revision 1.52 1999/05/09 03:25:36 rgb
3688 * Fix bug introduced by 2.2 quick-and-dirty patch.
3690 * Revision 1.51 1999/05/08 21:24:59 rgb
3691 * Add casting to silence the 2.2.x compile.
3693 * Revision 1.50 1999/05/05 22:02:32 rgb
3694 * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
3696 * Revision 1.49 1999/04/29 15:18:52 rgb
3697 * Change gettdb parameter to a pointer to reduce stack loading and
3698 * facilitate parameter sanity checking.
3699 * Fix undetected bug that might have tried to access a null pointer.
3700 * Eliminate unnessessary usage of tdb_xform member to further switch
3701 * away from the transform switch to the algorithm switch.
3702 * Add return values to init and cleanup functions.
3704 * Revision 1.48 1999/04/16 15:38:00 rgb
3705 * Minor rearrangement of freeing code to avoid memory leaks with impossible or
3708 * Revision 1.47 1999/04/15 15:37:25 rgb
3709 * Forward check changes from POST1_00 branch.
3711 * Revision 1.32.2.4 1999/04/13 21:00:18 rgb
3712 * Ditch 'things I wish I had known before...'.
3714 * Revision 1.32.2.3 1999/04/13 20:34:38 rgb
3715 * Free skb after fragmentation.
3716 * Use stats more effectively.
3717 * Add I/F to mtu notch-down reporting.
3719 * Revision 1.32.2.2 1999/04/02 04:26:14 rgb
3720 * Backcheck from HEAD, pre1.0.
3722 * Revision 1.46 1999/04/11 00:29:00 henry
3725 * Revision 1.45 1999/04/07 15:42:01 rgb
3726 * Fix mtu/ping bug AGAIN!
3728 * Revision 1.44 1999/04/06 04:54:27 rgb
3729 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
3730 * patch shell fixes.
3732 * Revision 1.43 1999/04/04 03:57:07 rgb
3733 * ip_fragment() doesn't free the supplied skb. Freed.
3735 * Revision 1.42 1999/04/01 23:27:15 rgb
3736 * Preload size of virtual mtu.
3738 * Revision 1.41 1999/04/01 09:31:23 rgb
3739 * Invert meaning of ICMP PMTUD config option and clarify.
3742 * Revision 1.40 1999/04/01 04:37:17 rgb
3743 * SSH stalling bug fix.
3745 * Revision 1.39 1999/03/31 23:44:28 rgb
3746 * Don't send ICMP on DF and frag_off.
3748 * Revision 1.38 1999/03/31 15:20:10 rgb
3749 * Quiet down debugging.
3751 * Revision 1.37 1999/03/31 08:30:31 rgb
3752 * Add switch to shut off ICMP PMTUD packets.
3754 * Revision 1.36 1999/03/31 05:44:47 rgb
3755 * Keep PMTU reduction private.
3757 * Revision 1.35 1999/03/27 15:13:02 rgb
3758 * PMTU/fragmentation bug fix.
3760 * Revision 1.34 1999/03/17 21:19:26 rgb
3761 * Fix kmalloc nonatomic bug.
3763 * Revision 1.33 1999/03/17 15:38:42 rgb
3765 * ESP_NULL IV bug fix.
3767 * Revision 1.32 1999/03/01 20:44:25 rgb
3769 * Memory leak bug fix.
3771 * Revision 1.31 1999/02/27 00:02:09 rgb
3772 * Tune to report the MTU reduction once, rather than after every recursion
3773 * through the encapsulating code, preventing tcp stream stalling.
3775 * Revision 1.30 1999/02/24 20:21:01 rgb
3776 * Reformat debug printk's.
3777 * Fix recursive encapsulation, dynamic MTU bugs and add debugging code.
3780 * Revision 1.29 1999/02/22 17:08:14 rgb
3781 * Fix recursive encapsulation code.
3783 * Revision 1.28 1999/02/19 18:27:02 rgb
3784 * Improve DF, fragmentation and PMTU behaviour and add dynamic MTU discovery.
3786 * Revision 1.27 1999/02/17 16:51:37 rgb
3787 * Clean out unused cruft.
3788 * Temporarily tone down volume of debug output.
3789 * Temporarily shut off fragment rejection.
3790 * Disabled temporary failed recursive encapsulation loop.
3792 * Revision 1.26 1999/02/12 21:21:26 rgb
3793 * Move KLIPS_PRINT to ipsec_netlink.h for accessibility.
3795 * Revision 1.25 1999/02/11 19:38:27 rgb
3797 * Add sanity checking for skb_copy_expand() to prevent kernel panics on
3798 * skb_put() values out of range.
3799 * Fix head/tailroom calculation causing skb_put() out-of-range values.
3800 * Fix return values to prevent 'nonatomic alloc_skb' warnings.
3801 * Allocate new skb iff needed.
3802 * Added more debug statements.
3803 * Make headroom depend on structure, not hard-coded values.
3805 * Revision 1.24 1999/02/10 23:20:33 rgb
3806 * Shut up annoying 'statement has no effect' compiler warnings with
3807 * debugging compiled out.
3809 * Revision 1.23 1999/02/10 22:36:30 rgb
3810 * Clean-up obsolete, unused and messy code.
3811 * Converted most IPSEC_DEBUG statements to KLIPS_PRINT macros.
3812 * Rename ipsec_tunnel_do_xmit to ipsec_tunnel_start_xmit and eliminated
3813 * original ipsec_tunnel_start_xmit.
3814 * Send all packet with different inner and outer destinations directly to
3815 * the attached physical device, rather than back through ip_forward,
3816 * preventing disappearing routes problems.
3817 * Do sanity checking before investing too much CPU in allocating new
3819 * Fail on IP header options: We cannot process them yet.
3820 * Add some helpful comments.
3821 * Use virtual device for parameters instead of physical device.
3823 * Revision 1.22 1999/02/10 03:03:02 rgb
3824 * Duh. Fixed the TTL bug: forgot to update the checksum.
3826 * Revision 1.21 1999/02/09 23:17:53 rgb
3827 * Add structure members to ipsec_print_ip debug function.
3828 * Temporarily fix TTL bug preventing tunnel mode from functioning.
3830 * Revision 1.20 1999/02/09 00:14:25 rgb
3831 * Add KLIPSPRINT macro. (Not used yet, though.)
3832 * Delete old ip_tunnel code (BADCODE).
3833 * Decrement TTL in outgoing packet.
3834 * Set TTL on new IPIP_TUNNEL to default, not existing packet TTL.
3835 * Delete ethernet only feature and fix hard-coded hard_header_len.
3837 * Revision 1.19 1999/01/29 17:56:22 rgb
3838 * 64-bit re-fix submitted by Peter Onion.
3840 * Revision 1.18 1999/01/28 22:43:24 rgb
3841 * Fixed bug in ipsec_print_ip that caused an OOPS, found by P.Onion.
3843 * Revision 1.17 1999/01/26 02:08:16 rgb
3844 * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
3845 * Removed dead code.
3847 * Revision 1.16 1999/01/22 06:25:26 rgb
3849 * Added algorithm switch code.
3851 * Passthrough on IPIP protocol, spi 0x0 fix.
3852 * Enhanced debugging.
3854 * Revision 1.15 1998/12/01 13:22:04 rgb
3855 * Added support for debug printing of version info.
3857 * Revision 1.14 1998/11/30 13:22:55 rgb
3858 * Rationalised all the klips kernel file headers. They are much shorter
3859 * now and won't conflict under RH5.2.
3861 * Revision 1.13 1998/11/17 21:13:52 rgb
3862 * Put IKE port bypass debug output in user-switched debug statements.
3864 * Revision 1.12 1998/11/13 13:20:25 rgb
3865 * Fixed ntohs bug in udp/500 hole for IKE.
3867 * Revision 1.11 1998/11/10 08:01:19 rgb
3868 * Kill tcp/500 hole, keep udp/500 hole.
3870 * Revision 1.10 1998/11/09 21:29:26 rgb
3871 * If no eroute is found, discard packet and incr. tx_error.
3873 * Revision 1.9 1998/10/31 06:50:00 rgb
3874 * Add tcp/udp/500 bypass.
3875 * Fixed up comments in #endif directives.
3877 * Revision 1.8 1998/10/27 00:34:31 rgb
3878 * Reformat debug output of IP headers.
3879 * Newlines added before calls to ipsec_print_ip.
3881 * Revision 1.7 1998/10/19 14:44:28 rgb
3882 * Added inclusion of freeswan.h.
3883 * sa_id structure implemented and used: now includes protocol.
3885 * Revision 1.6 1998/10/09 04:31:35 rgb
3886 * Added 'klips_debug' prefix to all klips printk debug statements.
3888 * Revision 1.5 1998/08/28 03:09:51 rgb
3889 * Prevent kernel log spam with default route through ipsec.
3891 * Revision 1.4 1998/08/05 22:23:09 rgb
3892 * Change setdev return code to ENXIO for a non-existant physical device.
3894 * Revision 1.3 1998/07/29 20:41:11 rgb
3895 * Add ipsec_tunnel_clear to clear all tunnel attachments.
3897 * Revision 1.2 1998/06/25 20:00:33 rgb
3898 * Clean up #endif comments.
3899 * Rename dev_ipsec to dev_ipsec0 for consistency.
3900 * Document ipsec device fields.
3901 * Make ipsec_tunnel_probe visible from rest of kernel for static linking.
3902 * Get debugging report for *every* ipsec device initialisation.
3903 * Comment out redundant code.
3905 * Revision 1.1 1998/06/18 21:27:50 henry
3906 * move sources from klips/src to klips/net/ipsec, to keep stupid
3907 * kernel-build scripts happier in the presence of symlinks
3909 * Revision 1.8 1998/06/14 23:49:40 rgb
3910 * Clarify version reporting on module loading.
3912 * Revision 1.7 1998/05/27 23:19:20 rgb
3913 * Added version reporting.
3915 * Revision 1.6 1998/05/18 21:56:23 rgb
3916 * Clean up for numerical consistency of output and cleaning up debug code.
3918 * Revision 1.5 1998/05/12 02:44:23 rgb
3919 * Clarifying 'no e-route to host' message.
3921 * Revision 1.4 1998/04/30 15:34:35 rgb
3922 * Enclosed most remaining debugging statements in #ifdef's to make it quieter.
3924 * Revision 1.3 1998/04/21 21:28:54 rgb
3925 * Rearrange debug switches to change on the fly debug output from user
3926 * space. Only kernel changes checked in at this time. radij.c was also
3927 * changed to temporarily remove buggy debugging code in rj_delete causing
3928 * an OOPS and hence, netlink device open errors.
3930 * Revision 1.2 1998/04/12 22:03:24 rgb
3931 * Updated ESP-3DES-HMAC-MD5-96,
3932 * ESP-DES-HMAC-MD5-96,
3934 * AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
3935 * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
3937 * Fixed eroute references in /proc/net/ipsec*.
3939 * Started to patch module unloading memory leaks in ipsec_netlink and
3940 * radij tree unloading.
3942 * Revision 1.1 1998/04/09 03:06:12 henry
3943 * sources moved up from linux/net/ipsec
3945 * Revision 1.1.1.1 1998/04/08 05:35:04 henry
3946 * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
3948 * Revision 0.5 1997/06/03 04:24:48 ji
3949 * Added transport mode.
3950 * Changed the way routing is done.
3951 * Lots of bug fixes.
3953 * Revision 0.4 1997/01/15 01:28:15 ji
3956 * Revision 0.3 1996/11/20 14:39:04 ji
3958 * Rationalized debugging code.
3960 * Revision 0.2 1996/11/02 00:18:33 ji
3961 * First limited release.